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H.R. 5777, THE “BEST PRACTICES ACT,” AND 
H.R. , A DISCUSSION DRAFT TO RE- 

QUIRE NOTICE TO AND CONSENT OF AN IN- 
DIVIDUAL PRIOR TO THE COLLECTION AND 
DISCLOSURE OF CERTAIN PERSONAL IN- 
FORMATION RELATING TO THAT INDI- 
VIDUAL 


THURSDAY, JULY 22, 2010 

House of Representatives, 

Subcommittee on Commerce, Trade, 

AND Consumer Protection, 
Committee on Energy and Commerce, 

Washington, DC. 

The Subcommittee met, pursuant to call, at 2:33 p.m., in Room 
2322 of the Rayburn House Office Building, Hon. Bobby L. Rush 
[Chairman of the Subcommittee] presiding. 

Members present: Representatives Rush, Stupak, Green, Barrow, 
Castor, Space, Boucher, Whitfield, Stearns, Gingrey, Scalise, and 
Latta. 

Staff present: Michelle Ash, Chief Counsel; Timothy Robinson, 
Counsel; Marc Groman, Counsel; Will Wallace, Special Assistant; 
Brian McCullough, Senior Professional Staff; Shannon Weinberg, 
Counsel; Will Carty, Senior Professional Staff and Counselor; Rob- 
ert Frisby, FTC Detailee; and Sam Costello, Legislative Analyst. 

OPENING STATEMENT OF HON. BOBBY L. RUSH, A REP- 
RESENTATIVE IN CONGRESS FROM THE STATE OF ILLINOIS 

Mr. Rush. Good afternoon. Today we are pleased to welcome 
seven witnesses representing the Federal Trade Commission, the 
consumers, industry, especially businesses with an Internet pres- 
ence and whose mainline of business is to create and sell adver- 
tising. And I would like to thank them for taking the time out of 
their busy schedules to share in their perspectives on consumer pri- 
vacy as well as to outline their view as appropriate offline and on- 
line business privacy protection and personal information use prac- 
tices. 

Have you ever been in the midst of a group of people and heard 
someone say “What is said in this room stays in this room?” As 
someone in that room you know just from that statement that what 
may be said could be juicy enough, sensitive enough, or valuable 
enough to tempt one of the other persons in that room to violate 
that compact by leaking that information to people who are not in 
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the room during the discussion. And the very utterance of these 
words evidences a conscious intent by the participants to set the 
needed environmental conditions that will encourage those in the 
room to interact freely with one another to share data, share infor- 
mation without them fearing that that very information will harm 
them economically, emotionally, or otherwise at some point in the 
future. 

As an avid user of the Internet and as a person interested in 
technology and communications, and all things visual, I know there 
is no free lunch when I go onto the Internet and Web site and to 
read or view content, especially when I am not paying for that con- 
tent. That Internet Web site and advertisers on the right, and over- 
head, and operating costs of that Web site know that my informa- 
tion whether it can be used to identify who I am, or whether it gets 
merged in with other user’s information has substantial value and 
can be monetized when it is provided to others. 

Before the House was scheduled to adjourn for its August recess, 
I for one felt that it was imperative on Monday of this week to in- 
troduce privacy legislation in the form of H.R. 5777, the Best Prac- 
tices Act. I also felt it was important that we quickly hold a hear- 
ing in this Subcommittee on the assorted pros and cons of my bill 
as well as other issues outlined in the discussion draft released by 
Chairman Boucher and Ranking Member Stearns of the CIT Sub- 
committee. 

The Best Practices Act speaks to a host of issues affecting con- 
sumer privacy, including consumer’s expectations as to how their 
personal information should be handled, shared, and disclosed to 
third parties. This legislation also addresses other important issues 
including what defaults should be set in connection with those ex- 
pectations to provide regulatory certainty to industry and to inves- 
tors. What safeguards should be crafted to anticipate foreseeable 
abuses and violations of consumer privacy expectations? What sets 
of remedies will make consumers whole in the event of privacy 
breach, and how to calibrate penalties and other possible legal 
causes of action without chilling industry incentives to innovate 
and grow their businesses. 

This legislation also addresses to what extent, if any, should the 
privacy framework set forth in my bill preempt state privacy laws 
and regulations. In holding this hearing I would like to get a better 
handle on how extensively personal information gets shared with- 
out an individual’s understanding and without their consent. I also 
want to shine a spotlight on some of the actual harms that befall 
individual users through no fault of their own. 

With that said I yield back the balance of my time. 

[H.R. 5777 and the discussion draft follow:] 
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2b Session H. K, D I I I 

To foster transparency about the commercial use of personal information, 
provide consumers mth meaningful choice about the collection, use, and 
disclosure of such information, and for other purposes. 


IN THE HOUSE OP REPRESENTATIVES 

July 19, 2010 

Mr. Rush introduced the following bill; which was referred to the Committee 
on Energy and Commerce 


A BILL 

To foster transparency about the commercial use of personal 
information, provide consumers with meaningful choice 
about the collection, use, and disclosure of such informa- 
tion, and for other purposes. 

1 Be it enacted hy the Senate and House of Representa- 

2 tives of ttie United States of America in Congress assembled, 

3 SECTION 1. SHORT TITLE; TABLE OP CONTENTS. 

4 (a) Short Title. — This Act may be cited as the 

5 “Building Effective Strategies To Promote Responsibility 

6 Accoimtability Choice Transparency Innovation Consumer 

7 Expectations and Safeguards Act” or the “BEST PRAC- 

8 TICES Act”. 
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1 (b) Table op Contents.— T he table of contents for 

2 this Act is as follows: 

Sec. 1. Short title; table of contents. 

Sec. 2 Definitions. 

TITLE I— TRANSPARENCY, NOTICE, AND INDIVIDUAL CHOICE 

See. 101. Information to be made available. 

Sec. 102. Provision of notice or notices. 

See. 103. Opt-out consent required for collection and use of covered information 
by a covered entity. 

See. 104. Expre.ss affirmative consent. 

See. 105. Material changes to privacy practices. 

Sec. 106. Exceptions. 

title n— ACCURACY, ACCESS, AND DISPUTE RESOLUTION 

Sec. 201. Accuracy. 

Sec. 202. Access and dispute resolution. 

TITLE III— DATA SECURITY, DATA MINIMIZATION, AND 
ACCOUNTABILITY 


Sec. 301. Data security. 

See. 302. Accountability. 

Sec. 303. Data minimization obligations. 

TITLE SAFE HiVRBOR AND SELF-REGULATORY CHOICE 
PROGILIM 


Sec. 401. 
Sec. 402. 
See. 403. 
Sec. 404. 


Sec. 501. 
Sec. 502. 


Sec. 601. 
Sec. 602. 
See. 603. 
See. 604. 
Sec. 605. 


Sec. 701. 
See. 702, 
See. 703. 
Sec. 704. 


Safe harbor. 

Appr-oval by the Federal Trade Commission. 
Requirements of self-regulatorA^' program. 
Rulemaking. 


TITLE V— EXEMPTIONS 

Use of aggregate or deidentified information. 

Activities covered by other Federal privacy la.^^. 

TITLE VI— APPLICATION AND ENFORCEMENT 


General application. 

Enforcement by the Federal Trade Commission. 
Enforcement by State attorney general. 

Private right of action. 

Effect on other laws. 

TITLE TO— MlSCELLiVNEOUS PROVISIONS 
Review. 

Consumer and business education campaign. 

Effective date. 

Severability. 
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SEC. 2. DEFINITIONS. 

As used in this Act, the follomng definitions apply: 

(1) Aggregate information, — The term “ag- 
gregate information” means data that relates to a 
group or category of sendees or indmduals, from 
which all information identifying an individual has 
been removed. 

(2) Commission. — The term “Commission” 
means the Federal Trade Commission. 

(3) Covered entity.— The term “covered en- 
tity” means a person engaged in interstate com- 
merce that collects or stores data containing covered 
information or sensitive information. Such term does 
not include — 

(A) the Federal Government or any instru- 
mentality of the Federal Government, nor the 
government of any State or political subdivision 
of a State; or 

(B) any person that can demonstrate that 
such person — 

(i) stores covered information from or 
about few'cr than 15,000 individuals; 

(ii) collects covered information from 
or about fewer than 10,000 indmduals 
during any 12-month period; 
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(iii) does not collect or store sensitive 
information; and 

(iv) does not use covered information 
to study, monitor, or analyze the behaAoor 
of indmduals as the person’s primary busi- 
ness. 

(4) COttEBED INPORBOlTION. — 

(A) In CxENERAL. — The term “covered in- 
formation” means, mth respect to an indi- 
vidual, any of the following: 

(i) the first name or initial and last 
name; 

(ii) a postal address; 

(iii) an email address; 

(iv) a telephone or fax number; 

(v) a tax identification number, pass- 
port number, driver’s license number, or 
any other unique government-issued identi- 
fication number; 

(vi) a financial account number, or 
credit card or debit card number, or any 
required security code, access code, or 
password that is necessaiy to permit ac- 
cess to an individual’s financial account; 


.HR 5777 IH 
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(vii) any unique persistent identifier, 
such as a customer number, unique pseu- 
donym or user alias, IP address, or other 
unique identifier, where such identifier is 
used to collect, store or identify informa- 
tion about a specific individual or to create 
or maintain a preference profile; or 

(viii) any other information that is 
collected, stored, used, or disclosed in con- 
nection with any covered information de- 
scribed in clauses (i) through (vii). 

(B) Exclusion. — Such term shall not in- 
clude — ■ 

(i) the title, business address, business 
email address, business telephone number, 
or business fax number associated with an 
individual’s status as an employee of an or- 
ganization, or an individual’s name when 
collected, stored, used, or disclosed in con- 
nection mth such employment status; or 

(ii) any information collected from or 
about an employee by an employer, pro- 
spective employer, or former employer that 
directly relates to the employee-employer 
relationship. 


•HR 5777 IH 



8 


1 

2 

3 

4 

5 

6 

7 

8 
9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 
21 
22 

23 

24 

25 


6 

(5) Operational purpose. — 

(A) In general. — The term “operational 
purpose” means a purpose reasonably neeessaiy 
to facilitate, improve, or safeguard the logistical 
or technical ability of a covered entity to pro- 
vide goods or sendees, manage its operations, 
comply with legal obligations, or protect against 
risks and threats, including— 

(i) pronding, operating, or improwng 
a product or sendee used, requested, or au- 
thorized by an individual, including the on- 
going provision of customer sendee and 
support; 

(ii) analyzing data related to use of 
the product or service for purposes of im- 
provdng the covered entity’s products, sen- 
ices, or operations; 

(iii) basic business functions such as 
accounting, inventory and supply chain 
management, quality assurance, and inter- 
nal auditing; 

(iv) protecting or defending the rights 
or property, including intellectual property, 
of the covered entity against actual or po- 
tential security threats, fraud, theft, unau- 
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thorized transactions, or other illegal ac- 
tivities; 

(v) presenting imminent danger to the 
personal safety of an individual or group of 
indmduals; 

(v4) complying with a Federal, State, 
or local law, rule, or other applicable legal 
requirement, including disclosures pursu- 
ant to a court order, subpoena, summons, 
or other properly executed compulsory 
process; and 

(vii) any other category of operational 
use specified by the Commission by regula- 
tion that is consistent with the purposes of 
this Act. 

(B) Exclusion. — Such term shall not in- 
clude — 

(i) the use of covered information for 
marketing or advertising purposes, or any 
use of or disclosure of covered information 
to a third party for such purposes; or 

(ii) the use of cov^ered information for 
a purpose that an individual acting reason- 
ably under the circumstances would not ex- 
pect based on the product or service used, 
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1 requested, or authorized by the individual 

2 and, if known to the individual, would like- 

3 ly affect the individual’s conduct or deei- 

4 sions mth respect to the covered entity’s 

5 products or services. 

6 (6) Preference profile. — The term “pref- 

7 erence profile” means a list of preferences, eat- 

8 egories of information, or interests — 

9 (A) associated with an indhddual or with 

10 an indhidual’s computer or other device; 

11 (B) inferred from the actual behavior of 

12 the individual, the actual use of the individual’s 

13 computer or other device, or information sup- 

14 plied directly by the indhddual or other user of 

15 a computer or other device; and 

16 (C) compiled and maintained for the pur- 

17 pose of marketing or purposes related to niar- 

18 keting, advertising, or sales. 

19 (7) Publicly AVAILABLE iNPORivLvnoN. — 

20 (A) In GENERAL. — The term “publicly 

21 available information” means any covered infor- 

22 mation or sensitive information that a covered 

23 entity has a reasonable basis to believe is law- 

24 , fully made available to the general public 

25 from— 
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(i) Federal, State, or local gwernment 
I'ecords: 

(ii) widely distributed media; or 

(iii) disclosures to the general public 
that are required to be made by Federal, 
State, or local law. 

(B) Construction. — covered entity has 
a reasonable basis to believe that information is 
lawfully made available to the general public if 
the covered entity has taken steps to deter- 
mine — 

(i) that the information is of a type 
that is available to the general public; and 

(ii) whether an individual can direct 
that the information not be made available 
to the general public and, if so, that the 
individual has not done so. 

(8) Sensitive inforviation. — 

(A) Definition.— T he term “sensitive in- 
formation” means — 

(i) any information that is associated 
with covered information of an individual 
and relates directly to that indhiduaFs — 
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(I) medical histoiy, physical or 
mental health, or the provision of 
health care to the individual; 

(II) race or ethnicity; 

(III) religious beliefs and affili- 
ation; 

(W) sexual orientation or sexual 
behavior; 

(AO income, assets, liabilities, or 
financial records, and other financial 
information associated with a finan- 
cial account, including balances and 
other financial information, except 
when financial account information is 
provided by the individual and is used 
only to process an authorized credit or 
debit to the account; or 

(Adi) precise geolocation informa- 
tion and any information about the 
individual’s activities and relationships 
associated with such geolocation; or 
(ii) an individual’s — 

(I) unique biometric data, includ- 
ing a fingerprint or retina scan; or 

(II) Social Security number. 
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(B) Modified definition by rule- 
ivtAKlNG. — The Commission may, by regulations 
promulgated under section 553 of title 5, 
United States Code, modify the scope or appli- 
cation of the definition of “sensitive informa- 
tion” for purposes of this Act. In promulgating 
such regulations, the Commission shall con- 
sider — 

(i) the purposes of the collection of 
the information and the context of the use 
of the information; 

(ii) how easily the information can be 
used to identify a specific individual; 

(iii) the nature and extent of author- 
ized access to the information; 

(iv) an individual’s reasonable expec- 
tations under the circumstances; and 

(v) adverse effects that may be experi- 
enced by an indmdual if the information is 
disclosed to an unauthorized person. 

(9) Service provider. — The term “service 
provider” means an entity that collects, maintains, 
processes, stores, or otherwise handies covered infor- 
mation or sensitive information on behalf of a cov- 
ered entity, including, for the purposes of serving as 
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a data processing center, distributing the informa- 
tion, prodding customer suppoi’t, maintaining the 
covered entity’s records, information technologj^ 
management, website or other hosting service, fraud 
detection, authentication, and other verification serv- 
ices, or performing other administrative support 
functions for the covered entity. 

(10) Third party. — 

(A) In general. — The term, “third party” 
means, with respect to any covered entity, a 
person that— 

(i) is not related to the covered entity 
b.y common ovmership or corporate control; 
or 

(ii) is a business unit or corporate en- 
tity that holds itself out to the public as 
separate from the covered entity, such that 
an individual acting reasonably under the 
circumstances would not expect it to be re- 
lated to the covered entity or to have ac- 
cess to covered information the indmdual 
provides to that covered entity. 

(B) Collection op information by 
MULTIPLE sources. — For the purpose of this 
definition, where multiple persons collect cov- 
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ered information or sensitive information from 
or about visitors to an online or mobile sendee, 
including a website, all such persons other than 
the operator or publisher of the online or mobile 
service or website shall be considered third par- 
ties unless — 

(i) the person meets the requirements 
of the service provdder exception in section 
106(1); or 

(ii) the person otherwise does not sat- 
isfy the requirements for a third parfy pur- 
suant to the regulations implemented pur- 
suant to subparagraph (C). 

(C) Rulemaiong. — Not later than 18 
months after the date of the enactment of this 
Act, the Commission shall promulgafe regtila- 
tions under section 553 of title 5, United States 
Code, to clarify or modify the definition of third 
party for purposes of this Act. In promulgating 
such regulations, the Commission shall con- 
sider — 

(i) the brand or brands associated 
with a covered entity; 

(ii) the scope and nature of the busi- 
nesses engaged in by a covered entity and 
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1 a third party, including the nature of the 

2 products or services offered by the covered 

3 entity and third partj^; and 

4 (hi) the relationship between a cov- 

5 ered entitj'- and a third party, taking into 

6 account such factors as ownership and con- 

7 trol. 

8 TITLE I— TRANSPARENCY, NO- 

9 TICE, AND INDIVIDUAL 

10 CHOICE 

1 1 SEC. 101. INFORMATION TO BE MADE AVAILABLE. 

12 A covered entity shall, in accordance with the regula- 

13 tions issued under section 102, make available to individ- 

14 uals whose covered information or sensitive information it 

15 collects or maintains the following information about its 

16 information privacy practices and an individual’s options 

17 with regard to such practices: 

18 (1) The identity of the covered entity. 

19 (2) A description of any covered information or 

20 sensitive information collected or stored by the eov- 

21 ered entity. 

22 (3) The specific purposes for which the covered 

23 entity collects and uses the covered information or 

24 sensitive information, including disclosure as to 

25 whether and how' the covered entity customizes prod- 
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1 nets or semces or changes the prices of products or 

2 senices based, in whole or in part, on covered infor- 

3 rnation or sensitive information about indmdual cus- 

4 tomers or users, 

5 (4) The specific purposes for which covered in- 

6 formation or sensitive information may be disclosed 

7 to a third party and the categories of third parties 

8 who may receive such information for each such pur- 

9 pose. 

10 (5) The choice and means the covered entity of- 

11 fers individuals for limiting the collection, use, and 

12 disclosure of covered information or sensitive infor- 

13 rnation, in accordance with sections 103 and 104. 

14 (6) A description of the information for which 

15 an individual may request access and the means to 

16 request such access, in accordance with section 202. 

17 (7) How the covered entity may merge, link, or 

18 combine covered information or sensitive information 

19 collected from the individual with other information 

20 about the individual that the covered entity maj^ ac- 

21 quire from third parties. 

22 (8) The retention schedule for covered informa- 

23 tion and sensitive information in days, months, or 

24 years, or a statement that the covered entity will re- 

25 tain such information indefinitely or permanently. 
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1 (9) Whether or not an individual has the right 

2 to direct the covered entity to delete information ool- 

3 lected from or about the individual. 

4 (10) A reasonable means by which an individual 

5 may contact the covered entity with any inquiries or 

6 complaints regarding the covered entity’s practices 

7 concerning the collection, use, disclosure, or handling 

8 of the individual’s covered information or sensitive 

9 information in accordance with section 302(a). 

10 (11) The process by which the covered entity 

11 notifies individuals of material changes to its policies 

12 and practices. 

13 (12) A hjq)erlink to or a listing of the Cornmis- 

14 sion’s online consumer complaint form or the toll- 

15 free number for the Commission’s Consumer 'Re- 

16 sponse Center. 

17 (13) The effective date of the privucy notice. 

1 8 SEC. 102. PROVISION OF NOTICE OR NOTICES. 

19 (a) In General. — It shall be unlawful for a covered 

20 entity to collect, use, or disclose covered information or 

21 sensitive information unless it provnides the information set 

22 forth in section 101 in concise, meaningful, timely, promi- 

23 nent, and easy-to-understand notice or notices, in accord- 

24 ance with the regulations issued by the Commission under 

25 subsection (b). 
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(b) Etjlemaking. — Not later than 18 months after 
the date of the enactment of this Act, the Commission 
shall promulgate regulations under section 553 of title 5, 
United States Code, to implement this section. In promul- 
gating such regulations, the Commission — 

(1) shall determine the means and timing of the 
notices required under this section, taking into ac- 
count the different media, devices, or methods 
through which the covered entity collects covered in- 
formation or sensitive information; 

(2) shall have the authority to allow for, or re- 
quire, the provision of short notices or limited disclo- 
sures that do not include all of the information set 
forth in section 101, if the Commission by regula- 
tion — 

(A) requires the information to be other- 
■ftise clearly and conspicuously disclosed or 
available to indmduals; and 

(B) determines that the provision of such 
short notices or limited disclosures will accom- 
plish the purposes of this Act to enhance trans- 
parency and provide individuals with meaning- 
ful choice regarding the collection, use, and dis- 
closure of their covered information or sensitive 
information; 
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(3) shall consider — 

(A) whether the notice or notices provide 
indmduals with timely, effective, and meaning- 
ful notice that 'will enable an individual to un- 
derstand relevant information and make in- 
formed choices; 

(B) whether providing notice to individuals 
prior to or contemporaneously mth the collec- 
tion of covered information is practical or rea- 
sonable under the circumstances; 

(C) the costs of implementing the pre- 
scribed notice or notices; 

(D) the different media and context 
through which covered information is collected; 

(E) whether it is reasonable and appro- 
priate under the circumstances for a third party 
or a service provider to be responsible for pro- 
wding notice and obtaining consent as required 
by this title in lieu of a covered entity; and 

(F) the risk to consumers and commeioe of 
over-notification; and 

(4) may issue model notices, 

(c) Exclusion Prom Notice Requirements, — 
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(1) Trade secret information. — Nothing in 
this section shall require a covered entity to reveal 
confidential, trade secret, or proprietaiy information. 

(2) In-person transactions. — Notice under 
this section shall not be required for in-person collec- 
tion of coA'ered information if — 

(A) the covered information is collected for 
an operational purpose; or 

(B) the covered entity only is collecting the 
name, address, email address, telephone or fax 
number of an individual and doeKS not — 

(i) share the covered information with 
third parties; or 

(ii) use the covered information to ac- 
quire additional information about the in- 
dividual from third parties. 

(d) Eetention, — covered entity shall retain copies 
of the notice or notices issued pursuant to this section for 
a period of 6 years after the date on which such notice 
was issued or the date when it was last in effect, whichever 
is later, unless the Commission determines pursuant to the 
ralemaking required under subsection (b) that such reten- 
tion is not practical under the circumstances. 
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1 SEC. 103. OPT-OUT CONSENT REQUIRED FOR COLLECTION 

2 AND USE OF COVERED INFORMATION BY A 

3 COVERED ENTITY. 

4 (a) In General.— E xcept as proidded in subsections 

5 (e) and (f) and section 106, it shall be nnlaivful for a coa'- 

6 ered entity to collect or use covered information about an 

7 individual ivithout the consent of that individual, as set 

8 forth in this section. A coi’ered entity shall be considered 

9 to har^e the consent of an individual for the collection and 

10 use of coA^ered information about the individual if — 

11 (1) the covered entity has provided to the indi- 

12 vidual notice required under section 102 and its im- 

13 plementing regulations; 

14 (2) the covered entity provides the individual 

15 with a reasonable means to exercise an opt-out right 

16 and decline consent for such collection and use; and 

17 (3) the individual either affirmatively grants 

18 consent for such collection and use or does not de- 

19 dine consent at the time notice is presented or made 

20 available to the individual. 

21 (b) Duration op Individual’s Opt-Out.— A n indi- 

22 vidual’ s direction to opt out under this section is effective 

23 permanently, unless otherwise directed by the indmdual. 

24 (c) Subsequent Opt-Out. — ^A covered entity shall 

25 provide an individual with a reasonable means to decline 

26 consent or revoke previously granted consent at any time. 
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1 (d) More Detailed Options.— -A covered entity 

2 may comply with this section by enabling an individual 

3 to decline consent for specific uses of his or her covered 

4 information, provided the individual has been given the op- 

5 portunity to decline consent for the collection and use of 

6 covered information for all pui’poses, other than for an 

7 operational purpose excepted by subsection (e), for which 

8 covered information may be collected and used by the cov- 

9 ered entity. 

10 (e) .Exception for Operational Purposes.— 

1 1 This section shall not apply to the collection or use of cov- 

12 ered information for an operational puipose. 

13 (f) Collection and Use as a Condition op Serv- 

14 ICE. — Nothing in this section shall prohibit a covered enti- 

15 ty from requiring, as a condition of an indmdual’s receipt 

16 of a service or other benefit, including the receipt of an 

17 enhanced or premium version of a product or service oth- 

18 erwise available, the reasonable collection and use of cov- 

19 ered information about the individual, provided that- — 

20 (1) the covered entity has a direct relationship 

21 vsdth the individual; 

22 (2) the covered information is not shared with 

23 any third party except with the express affirmative 

24 consent as set forth in section 104; 
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1 (3) the covered entity provides a clear, promi- 

2 nent, and specific statement describing the specific 

3 purpose or purposes for which covered information 

4 may be used pursuant to section 101; 

5 (4) the individual provides consent by acknowl- 

6 edging the specific uses set forth in the clear and 

7 prominent statement required under paragraph (3) 

8 as part of receiving the seiwice or other benefit from 

9 the covered entity; and 

10 (5) the indhidual is able to later withdraw con- 

1 1 sent for the use by canceling the service or otherwise 

12 indicating that he or she no longer wishes to receive 

13 the service or other benefit. 

14 SEC. 104. EXPRESS AFFIRMATIVE CONSENT. 

15 (a) Disclosure op Covered Inporiviation to 

16 Third Parties. — 

17 (1) Disclosure prohibited. — Except as pro- 

18 vided in section 106 and subject to title IV of this 

19 Act, it shall be unlavTul for a covered entity to dis- 

20 close covered information about an indhddnal to a 

21 third party unless the covered entity has received ex- 

22 press affirmative consent from the individual prior 

23 to the disclosure. 

24 (2) Exception for joint marketing.— Ex- 

25 press affirmative consent shall not be required for 
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1 any disclosure related to the performance of joint 

2 marketing, if the covered entity and the third party 

3 enter into a contractual agreement prohibiting the 

4 third party from disclosing or using the covered iii- 

5 formation except as necessary to carry out the joint 

6 marketing relationship. 

7 (b) Collection, Use, or Disclosure op Sen- 

8 siTiVT? Information.— Except as provided in section 

9 106, a covered entity may not collect, use, or disclose sen- 

10 sitive information from or about an individual for any pur- 

1 1 pose unless the covered entity obtains the express affirma- 

12 five consent of the individual. 

13 (c) Comprehensive Online Data Collection. — 

14 A covered entity may not use hardware or software to 

15 monitor all or substantially all of the indmdual’s Internet 

16 browsing or other significant class of Internet or computer 

17 activity and collect, use, or disclose information concerning 

18 such activity, except — 

19 (1) with the express affirmative consent of the 

20 individual; 

21 (2) for the purpose of making such information 

22 accessible to the individual or for use by the indi- 

23 vidual; or 

24 (3) as provided in section 106. 
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1 (d) Limitation. — third party that receives covered 

2 information or sensitive information from a covered entity 

3 pursuant to this section shall only use such information 

4 for the specific purposes authorized by the individual when 

5 the indmdual granted express affirmative consent for the 

6 disclosure of the information to a third party. 

7 (e) Eevocation op Consent.— A covered entity 

8 that has obtained the express affirmative consent of an 

9 individual pursuant to this section and section 105 shall 

10 prowde the individual with a reasonable means, without 

1 1 charge, to withdraw' consent at any time thereafter. 

12 SEC. 105. MATERIAL CHANGES TO PRIVACY PRACTICES. 

13 (a) Retro ACT iVTD Application. — ^A covered entity 

14 shall provide the notice required by section 102 and obtain 

15 the express affirmative consent of the individual prior to 

16 making a material change in privacy practices governing 

17 previously collected covered information or sensitive infor- 

18 mation from that individual. 

19 (b) Prospectivb Application.— A covered entity 

20 shall not make material changes to its privacy practices 

21 governing the collection, use, or disclosure of covered in- 

22 formation or sensitive information that has not been pre- 

23 wously collected unless, 30 daj's before the effective date 

24 of the material change — 
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1 (1) the covered entity provides individuals with 

2 notice of the material change in accordance with sec- 

3 tion 102; and 

4 (2) if required by sections 103 and 104, obtains 

5 the indmduars consent to the material change or al- 

6 low^s the individual to terminate the individiiars rela- 

7 tionship with the covered entity. 

8 SEC. 106. EXCEPTIONS. 


9 

10 

11 

12 

13 


14 


15 

16 

17 

18 

19 

20 
21 
22 

23 

24 


The consent requirements of sections 103 and 104 
shall not apply to the following: 

(1) Service providers. — 

(A) Wlien a covered entity discloses cov- 
ered information or sensitive information to a 
service provider performing services or func- 
tions on behalf of and under the instraction of 
the covered entity, provided — 

(i) the covered entity obtained the re- 
quired consent for the initial collection of 
such information and provided notice as 
required by section 102; 

(ii) the covered entity enters into a 
contractual agreement that prohibits the 
service provider from using or disclosing 
the information other than to carry out the 
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1 purposes for which the information was 

2 disclosed; and 

3 (iii) in such cases, the covered entity 

4 remains responsible and liable for the pro- 

5 tection of covered information and sensitive 

6 information that has been transferred to a 

7 sendee provider for processing, 

8 (B) ''Adien a service provider subsequently 

9 discloses the information to another service pro- 

10 -vdder in order to perform the same services or 

11 functions described in paragraph (1) on behalf 

12 of the coA^ered entity. 

13 (2) Fraud detection.— C ollection, use, or 

14 disclosure necessary to protect or defend the rights 

15 or property, including intellectual property, of the 

16 coA^ered entity against actual or potential security 

17 threats, fraud, theft, unauthorized transactions, or 

18 other illegal activities. 

19 (3) Imminent danger. — Collection, use, or 

20 disclosure necessary to prevent imminent danger to 

21 the personal safety of an individual or group of indi- 

22 viduals. 

23 (4) Compliance with law.— Collection, use, 

24 or disclosure required in order to comply with a Fed- 

25 eral, State, or local law, rule, or other applicable 
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1 legal requirement, including disclosures pursuant to 

2 subpoena, summons, or other properly executed coni- 

3 pulsoiy process. 

4 (5) Publicly available information. — Col- 

5 lection, use, or disclosure of publicly available irifor- 

6 mation, except that a covered entity may not use 

7 publicly available infomiation about an individual for 

8 marketing purposes if the individual has opted out 

9 of the use by such covered entity of covered informa- 

10 tion or sensitive information for marketing purposes. 

1 1 TITLE II— ACCURACY, ACCESS, 

12 AND DISPUTE RESOLUTION 

13 SEC. 201. ACCURACY. 

14 (a) Reasonable Procedures. — Each covered enti- 

15 ty shall establish reasonable procedures to assure the ac- 

16 curacy of the covered information or sensitive information 

17 it collects, assembles, or maintains. Not later than 18 

18 months after the date of the enactment of this Act, the 

19 Commission shall promulgate regulations under section 

20 553 of title 5, United States Code, to implement this see- 

21 tion. In promulgating such regulations, the Commission 

22 shall consider — 

23 (1) the costs and benefits of ensuring the accu- 

24 racy of the information; 

25 (2) the sensitivily of the information; 
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1 (3) the purposes for which the information will 

2 be used; and 

3 (4) the harms from misuse of the information. 

4 (b) Limited Exception for Fraud Databases. — 

5 The requirement in subsection (a)' shall not prevent the 

6 collection or maintenance of information that may be inae- 

7 curate with respect to a particular individual when that 

8 information is being collected or maintained solely— 

9 (1) for the purpose of indicating whether there 

10 may be a discrepancy or irregularity in the covered 

11 information or sensitive information that is associ- 

12 ated with an individual; and 

13 (2) to help identify, or authenticate the identity 

14 of, an individual, or to protect against or investigate 

15 fraud or other unlawful conduct. 

16' (c) Limited Exception for Publicly AvAiiiABLE 

17 Information. — S ubject to section 202, a covered entity 

18 shall not be required to verify the accuracy of publicly 

19 available information if the covered entity has reasonable 

20 procedures to ensure that the publicly available informa- 

21 tion assembled or maintained by the covered entity accu- 

22 rately reflects the information available to the general 

23 public. 
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1 SEC. 202. ACCESS AND DISPUTE RESOLUTION. 

2 (a) Access and Correction. — covered entity 

3 shall, upon request, provide an individual with reasonable 

4 access to, and the ability to dispute the accuracy or com- 

5 pleteness of, covered information or sensitive information 

6 about that individual if such information may be used for 

7 purposes that could result in an adverse decision against 

8 the individual, including the denial of a right, benefit, or 
. 9 privilege. 

10 . (b) Access to Personajj Profiles. — 

11 (1) In general.— Subject to title a covered 

12 entity shall, upon request, provide an indmdual with 

13 reasonable access to any personal profile about that 

14 individual that the entity stores in a manner that 

15 makes it accessible in the normal course of business. 

16 (2) Specl\l rule for preference pro- 

17 piles. — ^With respect to a preference profile, the ob- 

18 ligation to provide access and correction under this 

19 section is met if the covered entity provides the abil- 

20 ity to review and change the preference information 

21 associated with a unique persistent identifier. 

22 (3) PimTICIPATION IN choice PROGRAil.— This 

23 subsection shall not apply to a covered entity that 

24 participates in a Choice Program under title W. 

25 (c) Notice in Lieu op Access.— S ubject to sub- 

26 section (b), in those instances in which covered inform a- 
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1 tion or sensitive information is used only for purposes that 

2 could not reasonably result in an adverse decision against 

3 an indmdnal, including the denial of a right, benefit, or 

4 privilege, a covered entity shall, upon request by an indi- 

5 vidual, provide the indhndual mth a general notice or rep- 

6 resentative sample of the type or types of information the 

7 covered entity tjq)ically collects or stores for such pur- 

8 poses. 

9 (d) Exceptions.— 

10 (1) A covered entity may decline to provide an 

1 1 individual with access to covered information or sen- 

12 sitive information if the covered entity reasonably 

13 believes — 

14 (A) the individual requesting access cannot 

15 reasonably verify his or her identity as the per- 

16 son to wfoich the information relates; 

17 (B) access by the individual to the infor- 

18 mation is limited by law or legally recognized 

19 privoleg-e; 

20 (C) the information is used for a legitimate 

21 governmental or fraud prevention purpose that 

22 would be compromised by such access; 

23 (D) such request for access is frivolous or 

24 vexatious; 
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1 (B) the privacy or other rights of persons 

2 other than the individual would be violated; or 

3 (P) proprietaiy or confidential information, 

4 technology, or business processes would be re- 

5 vealed as a result. 

6 (2) Where an exception described in paragi’aph 

7 (1) applies only to a portion of the covered informa- 

8 tion or sensitive information maintained by the cov- 

9 ered entity, the covered entity shall provide access 

10 required under subsections (a) and (b) to the infor- 

1 1 mation to which the exception does not apply. 

12 (3) A covered entity may decline an individual’s 

13 request to correct or amend covered information or 

14 sensitive information pertaining to that individual 

15 where — 

16 (A) a reason for denying access to the in- 

17 formation under paragraph (1) would also apply 

18 to the request to correct or amend the informa- 

19 tion; or 

20 (B) doing so would be incompatible with a 

,21 legal obligation, such as a requirement to retain 

22 certain information. 

23 (e) Pees. — covered entity may charge a reasonable 

24 fee, as determined by the Commission, for providing ac- 

25 cess in accordance with subsection (a) or (b). 
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1 (f) Time Limit. — covered entity shall respond to 

2 any access, correction, or amendment request within 30 

3 days of the receipt of the request. Such response must 

4 consist of one or more of the folloMung: 

5 (1) The requested information in accordance 

6 with subsection (a) or (b). 

7 (2) The general notice in accordance mth sub- 

8 section (c). 

9 (3) Instructions for accessing, correcting, or 

10 amending the requested information through an 

1 1 automated mechanism. 

12 (4) A confirmation that the requested correc- 

13 tions or amendments have been made. 

14 (5) A notification that the covered entity is de- 

15 dining to correct or amend information pursuant to 

16 one of the exceptions described in subsection (d), 

17 Such notification shall include the reason or reasons 

18 for not making the suggested correction or amend- 

19 ment, unless one or more of such exceptions would 

20 also apply to the disclosure of the reason or reasons. 

21 (6) A request to resubmit the access request 

22 and an explanation of why the original access re- 

23 quest was deficient in cases where — 
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1 (A) the scope or nature of the request is 

2 unclear or the entity needs more information in 

3 order to respond to the request; 

4 (B) the entity charges a fee as permitted 

5 under subsection (e), and the fee has not been 

6 paid; or 

7 (C) the entity provides interested members 

8 of the public other reasonable and accessible in- 

9 structions for submitting an access request and 

10 such instructions were not followed. 

11 (7) A notification that additional time is needed 

12 where — 

13 (A) the entity cannot reasonably provide a 

14 full response within 30 days of the receipt of 

15 the access; and 

16 (B) the time extension needed for a full re- 

17 sponse is no greater than an additional 30 days. 

18 (g) Rule op Construction. — Nothing in this Act 

19 creates an obligation on a covei’ed entity to provdde an in- 

20 dmdual with the right to delete information. 

21 (h) Additional Requirements Where Correc- 

22 TiON OR Amendment Is Declined. — I f the covered enti- 

23 ty declines to correct or amend the information described 

24 in subsection (a), the covered entity shall— 
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1 (1) note that the information is disputed, in- 

2 eluding the individual’s statement disputing such in- 

3 formation, and take reasonable steps to verify such 

4 information under the procedures outlined in section 

5 201 if such information can be independently 

6 verified; and 

7 (2) where the information was obtained from a 

8 third party or is publicly available information, in- 

9 form the indmdual of the source of the information, 

10 and if reasonably available, where a request for cor- 

11 rection may be directed, and, if the individual pro- 

12 wdes proof that the information is incorrect, correct 

13 the inaccuracy in the covered entity’s records. 

14 (i) Other Limitations.— T he obligations under this 

15 section do not, by themselves, create any obligation on the 

16 covered entity to retain, maintain, reorganize, or restruc- 

17 ture covered information or sensitive information. 

18 (j) Data Retention Exception. — Covered infor- 

19 mation or sensitive information retained by the covered 

20 entity for under 30 days, or such other period of time as 

21 the Commission may determine, shall not be subject to 

22 this section. 

23 (k) Rulemaking.— Not later than 18 months after 

24 the date of the enactment of this Act, the Commission 

25 shall promulgate regulations under section 553 of title 5, 
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1 United States Code, to implement this section. In addi- 

2 tion, the Commission shall promulgate regulations, as nec- 

3 essary, on the application of the exceptions and limitations 

4 in subsection (d), including any additional circumstances 

5 in which a covered entity may limit access to information 

6 under such subsection that the Commission determines to 

7 be appropriate, 

8 TITLE III— DATA SECURITY, 

9 DATA MINIMIZATION, AND AG- 
IO COUNTABILITY 

1 1 SEC. 301. DATA SECURITY. 

12 (a) In General. — Each covered entity and service 

13 provider shall establish, implement, and maintain reason- 

14 able and appropriate administrative, technical, and phys- 

15 ical safeguards to- 
ld (1) ensure the security, integrity, and confiden- 

17 tiality of the covered information or sensitive infor- 

18 mation it collects, assembles, or maintains; 

19 (2) protect against any anticipated threats, rea- 

20 sonably foreseeable vulnerabilities, or hazards to the 

21 , security or integrity of such information; and 

22 (3) protect against unauthorized access to or 

23 use of such information and loss, misuse, alteration, 

24 or destruction of such information. 
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1 (b) Factors for Appropriate Safeguards— Not 

2 later than 18 months after the date of the enactment of 

3 this Act, the Commission shall promulgate regulations 

4 under section 553 of title 5, United States Code, to imple- 

5 ment this section. In promulgating such regulations, the 

6 Commission shall consider — 

7 (1) the size and complexity of an entity; 

8 (2) the nature and scope of the activities of tin 

9 entity; 

10 (3) the sensitivity of the information; 

11 (4) the current state of the art in administra- 

12 five, technical, and physical safeguards for pro- 

13 tecting information; and 

14 (5) the cost of implementing such safeguards, 

15 SEC. 302. ACCOUNTABILITY. 

16 (a) COMPIxAJNTS TO THE COVERED ENTITY. — A COV- 

17 ered entity shall provide a process for individuals to make 

18 complaints concerning the covered entity’s policies and 

19 procedures required by this Act. 

20 (b) Privacy Eisk Assessment. — ^A covered entity 

21 shall conduct an assessment of the risks to indmduals 

22 raised by the collection, use, and disclosure of covered in- 

23 formation or sensitive information prior to the implemen- 

24 tation of commercial projects, marketing initiatives, busi- 

25 ness models, applications, and other products or sendees 
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1 in which the covered entity intends to collect, or believes 

2 there is a reasonable likelihood it will collect, covered in- 

3 formation or sensitive information from or about more 

4 than 1,000,000 individuals. 

5 (c) Periodic Evaluation op Practices.— A cov- 

6 ered entity shall conduct periodic assessments to evalu- 

7 ate — 

8 (1) whether the covered information or sensitive 

9 information the covered entity has collected is and 

10 remains necessaiy for the purposes disclosed at the 

11 time of collection pursuant to section 101 (c) and 

12 (d); and 

13 (2) whether the covered entity’s ongoing collec- 

14 tion practices are and remain necessarj" for a legiti- 

15 mate business purpose. 

16 SEC. 303. DATA MINIMIZATION OBLIGATIONS. 

17 A covered entity that uses covered information or 

18 sensitive information for any purpose shall retain such 

19 data only as long as necessaiy to fulfdl a legitimate busi- 

20 ness purpose or comply with a legal requirement. 
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1 TITLE IV—SAFE HARBOR AND 

2 SELF-REGULATORY CHOICE 

3 PROGRAM 

4 SEC. 401. SAFE HARBOR. 

5 A covered entity that participates in, and is in eompli- 

6 ance with, 1 or more self-regulatoiy programs approved 

7 by the Commission under section 402 (in this title referred 

8 to as a “Choice Program”) shall not be subject to — 

9 (1) the requirements for express affirmative 

10 consent required under subsection 104(a) for the 

11 specified uses of covered information addressed by 

12 the Choice Program as described in section 

13 403(1)(A); 

14 (2) the r-equirement of access to information 

15 under section 202(b); or 

16 (3) liability in a pi’ivate right of action brought 

17 under section 604. 

18 SEC. 402. APPROVAL BY THE FEDERAL TRADE COMMIS- 

19 SION. 

20 (a) Initial Approval.— Not later than 270 days 

21 after the submission of an application for approval of a 

22 Choice Program under this section, the Commission shall 

23 approve or decline to approve such program. The Commis- 

24 sion shall only approve such prognam if the Commission 


•HR 5777 IH 



41 


39 

1 finds, after notice and comment, that the program com- 

2 plies TOth the requirements of section 403. 

3 (b) Approval op Modifications. — The Commis- 

4 sion shall approve or decline to approve any material 

5 change in a Choice Program previously approved by the 

6 Commission within 120 days after submission of an appli- 

7 cation for approval by such program. The Commission 

8 shall only approve such material change if the Commission 

9 finds, after notice and comment, that the proposed change 

10 complies ■with the requirements of section 403. 

11 (e) Duration. — A Choice Program approved by the 

12 Commission under this section shall be approved for a pe- 

13 riod of 5 years. 

14 (d) i\l^PEAljS.— Pinal action by the Commission on 

15 a request for approval, or the failui’e to act vithin 270 

16 days on a request for approval, submitted under this see- 

17 tion may be appealed to a district court of the United 

18 States of appropriate jurisdiction as pro-vided for in sec- 

19 tion 706 of title 5, United States Code. 

20 SEC. 403. REQUIREMENTS OF SELF-REGULATORY PRO- 

21 GRAM. 

22 To be approved as a Choice Program under this sec- 

23 tion, a program shall— 

24 (1) provide indmduals 'with — 
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(A) a clear and conspicuous opt-out mech- 
anism that, when selected by the individual, 
prohibits all covered entities participating in the 
Choice Program from disclosing covered infor- 
mation to a third party for 1 or more specified 
uses, and maj^ offer individuals a preference 
management tool that will enable an individual 
to make more detailed choices about the trans- 
fer of covered information to a third party; and 

(B) a clear and conspicuous mechanism to 
set communication preferences, online behav- 
ioral advertising preferences, and such other 
preferences as the Choice Program may deter- 
mine, subject to the approval of the Commis- 
sion, that when selected by the individual, ap- 
plies the individual’s selected preferences to all 
covered entities participating in the Choice Pro- 
gram; and 

(2) establish — 

(A) guidelines and procedures requiring a 
participating covered entity to provide equiva- 
lent or gi’eater protections for individuals and 
their covered information and sensitive informa- 
tion as are provided under titles I and II; 
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(B) procediires for reviewing applications 
covered entities to participate in the Choice 

Program; 

(C) procedures for periodic assessment of 
its procedures and for conducting periodic ran- 
dom compliance testing of covered entities par- 
ticipating in such Choice Program; and 

(D) consequences for failure to comply 
with program requirements, such as public no- 
tice of the covered entity’s noncompliance, sus- 
pension, or expulsion from the program, or re- 
ferral to the Commission for enforcement. 

SIC. 404. RULEMAKING. 

Not later than 18 months after the date of enactment 
of this Act, the Commission shall promulgate regulations 
under section 553 of title 5, United States Code, to imple- 
ment this section and to provide compliance guidance for 
entities seeking to be approved under this title, including 
regulations — 

(1) establishing criteria for the submission of 
the application, including evidence of how' the Choice 
Program will comply with the requirements of sec- 
tion 403; 

(2) establishing criteria for opt-out mechanisms 
and communication preferences, online behavioral 
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1 advertising preferences, or other preferences meeting 

2 the requirements of this title; 

3 (3) establishing consequences for failure to 

4 comply with the requirements of section 403, such 

5 as public notice of the Choice Program’s noneompli- 

6 ance and suspension or revocation of the Commis- 

7 sion’s approval of such Program as described in sec- 

8 tion 402; 

9 (4) allowing for and promoting continued evo- 

10 lution and innovation in privacy protection, mean- 

11 ingfal consumer control, simplified approaches to 

12 disclosure, and transparency; and 

13 (5) providing additional incentives for self-regu- 

14 lation by covered entities to implement the protec- 

15 tions afforded individuals under titles I and 11 of 

16 this Act, including prowsions for ensuring that a 

17 covered entity will be considered to be in compliance 

18 with the requirements of titles I and II and the reg- 

19 ulations issued under such titles if that covered enti- 

20 ty complies with guidelines or requirements of a 

21 Choice Program approved under section 402. 


•HB 5777 m 



45 


43 

1 TITLE V-~-EXEMPTIONS 

2 SBC. 501. USE OP AGGREGATE OR DEIDENTIFIED INFORMA- 

3 TION. 

4 (a) 6ENB]RiVL Exclusion. — Subject to subsections 

5 (b) and (e), nothing in this Act shall preclude a covered 

6 entity from collecting, using, or disclosing — 

7 (1) aggregate information; or 

8 (2) covered information or sensitive information 

9 from which identifying information has been ob- 

10 soured or removed using reasonable and appropriate 

11 methods such that the remaining information does 

12 not identify, and there is no reasonable basis to be- 

13 lieve that the information can be used to identify — 

14 , (A) the specific individual to whom such 

15 covered information relates; or 

16 (B) a computer or device owned or used by 

17 a specific indhidual. 

18 (b) Eeasonable Procedures for Disclosuee, — 

19 If a covered entity discloses the information described in 

20 paragraphs (1) and (2) of subsection (a) to a third party, 

21 the covered entity shall take reasonable steps to protect 

22 such information, including, in the case of the information 

23 described in such paragraph (2), not disclosing the algo- 

24 ritlim or other mechanism used to obscure or remove the 

25 identifying information, and obtaining satisfactoiy mitten 
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assurance that the third party will not attempt to recon- 
stract the identiMng information. 

(e) Prohibition on Reconstructing or Reveau- 
iNG Identifying Information. — 

(1) In general.— It shall be unlawful for any 
person to reconstruct or reveal the identifying infor- 
mation that has been removed or obscured (as de- 
scribed in subsection (a)(2)) and for which a covered 
entity claims or has claimed the benefit of the gen- 
eral exemption in subsection (a). 

(2) Rule^lvkjng.— Not later than 18 months 
after the date of the enactment of this Act, the 
Commission shall promulgate regulations under sec- 
tion 553 of title 5, United States Code, to establish 
exemptions to this subsection. In promulgating such 
regulations, the Commission shall consider — 

(A) the purposes for which such identifying 
information may need to be reconstructed or re- 
vealed; 

(B) the size and sensitivity of the data set; 

and 

(C) public policy issues such as health, 
safety, and national security. 
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1 SEC. 502. ACTIVITIES COVERED BY OTHER FEDERAL PKI- 

2 VACY LAWS. 

3 Except as provided expressly in this Act, this Act 

4 shall have no effect on activities covered by any of the 

5 follomng: 

6 (1) Title V of the Gramm-Leach-Bliiey Act (15 

7 U.S.C. 6801 et seq.). 

8 (2) The Pair Credit Reporting Act (15 U.S.C. 

9 1681 et seq.). . 

10 (3) The Health Insurance Portability and Ac- 

11 countability Act of 1996 (Public Law 104-191), 

12 (4) Part C of title XI of the Social Security Act 

13 (42 U.S.C. 1320d et seq,). 

14 (5) Sections 222 and 631 of . the Communica- 

15 tions Act of 1934 (47 U.S.C. 222 and 47 U.S.C. 

16 551). 

17 (6) The Children’s Online Privacy Protection 

18 Act of 1998 (15 U.S.C. 6501 et seq.). 

19 (7) The CAN-SPAM Act of 2003 (15 U.S.C. 

20 7701 et seq.). 

21 (8) The Electronic Communications Privacy Act 

22 of 1986 (18 U.S.C. 2510 et seq.). 

23 (9) The Video Privacy Protection Act (18 

24 U.S.C. 2710 et seq.). 
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1 TITLE VI—APPLICATION AND 

2 ENFORCEMENT 

3 SEC. 601. GENERAL APPLICATION. 

4 The requirements of this Act shall only apply to those 

5 persons over which the Comtnission has authority pursu- 

6 ant to section 5(a)(2) of the Federal Trade Commission 

7 Act. Notwithstanding any provision of such Act or any 

8 other provision of law, common carriers subject to the 

9 Communications Act of 1934 (47 U.S.C. 151 et seq.) and 

10 any amendment thereto shall be subject to the jurisdiction 

11 of the Commission for purposes of this Act. 

12 SEC. 602. ENFORCEMENT BY THE FEDERAL TRADE COM- 

13 MISSION. 

14 (a) Unfair or Deceptive Acts or Practices. — 

15 A violation of titles I, II, or III shall be treated as an 

16 unfair and deceptive act or practice in Aolation of a regu- 

17 lation under section 18(a)(1)(B) of the Federal Trade 

18 Commission Act (15 U.S.C. 57a(a)(l)(B)) regarding un- 

19 fair or deceptive acts or practices. 

20 (b) Powers of Commission.— The Commission 

21 shall enforce this Act in the same manner, by the same 

22 means, and with the same jurisdiction, powers, and duties 

23 as though all applicable terms and provisions of the Fed- 

24 eral Trade Commission Act (15 U.S.C. 41 et seq.) were 

25 incorporated into and made a part of this Act. Any person 
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1 who wolates this Act or the regulations issued under this 

2 Act shall be subject to the penalties and entitled to the 

3 privileges and immunities provided in that Act. 

4 (c) RlTLEMAinNG AUTHORITY. — 

5 (1) Rulemaking. — The Commission may, in 

6 accordance with section 553 of title 5, United States 

7 Code, issue such regulations it determines to be iiec- 

8 essaiw to cari^’ out this Act. 

9 (2) Authority to grant exceptions, — The 

10 regulations prescribed under paragraph (1) may in- 

11 elude such additional exceptions to titles I, II, III, 

12 W, and V of this Act as the Commission considers 

13 consistent vdth the purposes of this Act. 

14 (3) Limitation. — In promulgating rules under 

15 this Act, the Commission shall not require the de- 

16 ployment or use of any specific products or tech- 

17 nologies, including any specific computer softwaie or 

18 hardware. 

19 SEC. 603. ENFORCEMENT BY STATE ATTORNEYS GENERAL. 

20 (a) Civil Action. — In any case in which the Attor- 

21 ney General of a State, or an official or agency of a State, 

22 has reason to believe that an interest of the residents of 

23 that State has been or is threatened or adversely affected 

24 by any person who violates this Act, the attorney general, 

25 official, or agency of the State, as parens patriae, may 
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1 bring a cml action on behalf of the residents of the State 

2 in an appropriate district court of the United States — 

3 (1) to enjoin farther -vdolation of this Act by the 

4 defendant; 

5 . (2) to compel compliance with this Act; or 

6 (3) for violations of titles I, II, or III of this 

7 Act, to obtain cml penalties in the amount deter- 

8 mined under subsection (b). 

9 (b) Cmij PenaijTies. — 

10 (1) CaIjCULATION.— F or purposes of calculating 

1 1 the civil penalties that may be obtained under sub- 

12 section (a)(3) — 

13 (A) with regard to a violation of title I, the 

14 ' amount determined under this paragraph is the 

15 amount calculated by multiplying the number of 

16 days that a covered entity is not in compliance 

17 with such title, or the number of indhiduals foi- 
ls whom the covered entity failed to obtain con- 

19 sent as required by such title, whichever is 

20 greater, by an amount not to exceed $11,000; 

21 and 

22 (B) with regard to a tyolation of title II or 

23 III, the amount determined under this para- 

24 graph is the amount calculated by multiplying 

25 the number of days that a covered entity is not 
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in compliance mth such title or titles by an 
amount not to exceed $11,000. 

(2) Adjustment poe inflation. — Beginning 
on the date that the Consumer Piice Index for All 
Urban Consumers is first published by the Bureau 
of Labor Statistics that is after 1 year after the date 
of enactment of this Act, and each year thereafter, 
the amounts specified in subparagi’aphs (A) and (B) 
of paragi’aph (1) shall be increased by the percent- 
age increase in the Consumer Price Index published 
on that date from the Consumer Price Index, pub- 
lished the previous year. 

(3) Maximum total llvbility. — Notwith- 
standing the number of actions which may be 
brought against a person under this section the 
maximum civil penalty for which any person may be 
liable under this section shall not exceed — 

(A) $5,000,000 for any related series of 
violations of title I; and 

(B) $5,000,000 for any related series of 
violations of title II and title III. 

(4) Effect op participation in choice pro- 
GRiUVL— If a covered entity participates in a Choice 
Program established under title W and cures the al- 
leged Uolation of title I or 11 in a reasonable period 
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1 of time after recemng notice of the alleged violation, 

2 siich conduct shall be taken into consideration by a 

3 State or a court in detennining the amount of civil 

4 penalties under this subsection. 

5 (e) Inter\T5Ntion by the FTC. — 

6 (1) Notice and intervention. — The State 

7 shall provide prior written notice of any action under 

8 subsection (a) to the Commission and pro-\dde the 

9 Commission vsdth a copy of its complaint, except in 

10 any case in which such prior notice is not feasible, 

11 in which ease the State shall serve such notice im- 

12 mediately upon instituting such action. The Commis- 

13 sion shall have the right — 

14 (A) to intervene in the action; 

15 (B) upon so intervening, to be heard on all 

16 matters arising therein; and 

17 (C) to file petitions for appeal. 

18 (2) Limitation on state action while ped- 

19 eraIj action is pending. — If the Commission has 

20 instituted a civil action for vdolation of this Act, no 

21 attorney general of a State, or official, or agency of 

22 a State, may bring an action under this section dur- 

23 ing the pendency of that action against any defend- 

24 ant named in the complaint of the Commission for 

25 any wolation of this Act alleged in the complaint. 
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1 (d) Construction. — For pm-poses of bringing anj? 

2 civil action under subsection (a), nothing in this Act shall 

3 be construed to prevent an attorney general of a State 

4 from exercising the powers conferred on the attorney gen- 

5 eral by the laws of that State to — 

6 (1) conduct investigations; 

7 (2) administer oaths or affirmations; or 

8 (3) compel the attendance of witnesses or the 

9 production of documentaiy and other evidence. 

10 SEC. 604. PRIVATE RIGHT OF ACTION. 

11 (a) In GeneraIj. — covered entity, other than a 

12 covered entity that participates in and is in compliance 

13 with a Choice Program established under title IV, who 

14 willfully fails to comply with sections 103 or 104 of this 

15 Act with respect to any individual is liable to that indi- 

16 vidual in a civil action brought in a district court of the 

17 United States of appropriate jurisdiction in an amount 

1 8 equal to the sum of — 

19 (1) the greater of any actual damages of not 

20 less than $100 and not more than $1,000; 

21 (2) such amount of punitive damages as the 

22 court may allow; and 

23 (3) in the case of any successful action under 

24 this section, the costs of the action together with 
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1 reasonable attorney’s fees as determined by the 

2 court. 

3 (b) Limitation. — A civil action under this section 

4 may not be commenced later than 2 years after the date 

5 upon which the claimant first discovered or had a reason- 

6 able opportunity to discover the \iolation. 

7 SEC. 605. EFFECT ON OTHER LAWS. 

8 (a) Preemption op State Laws, — This Act super- 

9 sedes any provision of a statute, regulation, or rule of a 

10 State or political subdivision of a State, mth respect to 

11 those entities covered by the regulations issued pursuant 

12 to this Act, that expressly requires covered entities to im- 

13 plement requirements with respect to the collection, use, 

14 or disclosure of covered information addressed in this Act. 

15 (b) AioditioNxMj Preemption. — 

16 (1) In generaIj. — No person other than a per- 

17 son specified in section 603 or 604 may bring a civil 

18 action under the law's of any State if such action is 

19 premised in whole or in part upon the defendant vio- 

20 lating any prordsion of this Act. 

21 (2) Protection op state consumer protec- 

22 TION LAWS.- — This subsection shall not be constraed 

23 to limit the enforcement of any State consumer pro- 

24 tection law' by an attorney general or other official 

25 of a State. 
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1 (c) Protection op Certain State Laws. — This 

2 Act shall not be eonstraed to preempt the applicability 

3 Of^: 

4 (1) State laws that address the collection, use, 

5 or disclosure of health information or financial infor- 

6 mation; 

7 (2) State laws that address notification require- 

8 ments in the event of a data breach; 

9 (3) State trespass, contract, or tort law; or 

10 (4) other State laws to the extent that, those 

1 1 laws relate to acts of fraud. 

12 (d) Preservation op FTC Authority. — Nothing 

13 in this Act may be construed in any way to limit or affect 

14 the Commission’s authority under any provision of law. 

15 (e) Rule op Construction Relating to Re- 

16 QuiRED Disclosures to GotniRNMENT Entities. — 

17 This Act shall not be construed to expand or limit the 

18 duty or authority of a covered entity, sendee prowder, or 

19 third party to disclose covered information or sensitive iii- 

20 formation to a government entity under any provision of 

21 law. 
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1 TITLE VII™MISCELLANEOUS 

2 PROVISIONS 

3 SEC. 701. REVIEW. 

4 Not later than 5 years after the effective date of the 

5 regulations initially issued under this Act, the Commission 

6 shall — 

7 (1) revdew the implementation of this Act, in- 

8 eluding the effect of the implementation of this Act 

9 on practices relating to the collection, use, and dis- 

10 closure of covered information and sensitive informa- 

11 tion; and 

12 (2) prepare and submit to Congress a report on 

13 the results of the review under paragraph (1). 

14 SEC. 702. CONSUMER AND BUSINESS EDUCATION CAM- 

15 PAIGN. 

16 Beginning on the effective date of this Act as set 

17 forth in section 703, the Commission shall — 

18 (1) conduct a consumer education campaign to 

19 inform individuals of the rights and protections af- 

20 forded by this Act and the steps that indmduals can 

21 take to affirmatively consent or decline consent to 

22 the collection, use, and disclosure of information 

23 under this Act and the regulations issued pursuant 

24 to this Act; and 
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1 (2) provide guidance to businesses regarding 

2 their obligations under this Act, including guidance 

3 on how to participate in a Choice Program approved 

4 under title IV. 

5 SEC. 703. EFFECTIVE DATE. 

6 This Act shall take effect 2 years after the date of 

7 the enactment of this Act. The Commission may stay en- 

8 forcement of this Act for such period of time as the Com- 

9 mission determines necessary to allows for the establish- 

10 ment and Commission approval of a Choice Program 

1 1 under title IV and for covered entities to commence par- 

12 ticipatioii in such a program. 

13 SEC. 704. SEVERABILITY. 

14 If any provision of this Act, or the application thereof 

15 to any person or circumstance, is held unconstitutional or 

16 otherwise invalid, the validity of the remainder of the Act 

17 and the application of such provision to other persons and 

18 circumstances shall not be affected thereby. 

O' 
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To require notice to and consent of an individual prior to the collection 
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M , introduecd the following bill; which was referred to the 

Committee on 


A BILL 

To require notice to and consent of an indmdual prior to 
the collection and disclosure of certain personal informa- 
tion relating to that individual. 

1 Be it enacted by the Senate and House of Kepresenta- 

2 tives of the United States of America in Congress assembled, 

3 SECTION 1. SHORT TITLE. 

4 This Act may be cited as “ [To be proUdedl ’ ’ . 

5 SEC. 2. DEFINITIONS. 

6 In this Act the following definitions apply: 
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(1) Ady^rtisement network. — The term 
’“advertisement netw'ork” means an entity that pro- 
wdes advertisements to participating websites on the 
basis of individuals’ activity across some or all of 
those websites. 

(2) Aggregate information.— The term “ag- 
gregate information” means data that relates to a 
group or category of services or individuals, from 
which all information identifying an individual has 
been removed. 

(3) Commission. — The term “Commission” 
means the Federal Trade Commission. 

(4) Covered entity. — The term “covered en- 
tity”— 

(A) means a person engaged in interstate 
commerce that collects data containing covered 
information; and 

(B) does not include — 

(i) a government agency; or 

(ii) any person that collects covered 
information from fewer than 5,000 individ- 
uals in any 12-month period and does not 
collect sensitive information. 
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(5) Covered information. — The term “cov- 
ered information” means, with respect to an indi- 
vidual, any of the following; 

(A) The first name or initial and last 
name. 

(B) A postal address. 

(C) A telephone or fax number. 

(D) An email address, 

(E) Unique biometric data, including a fin- 
gerprint or retina scan. 

(F) A Social Security number, tax identi- 
fication number, passport number, driver’s li- 
cense number, or any other government-issued 
identification number. 

(G) A Financial account number, or credit 
or debit card number, and any required security 
code, access code, or password that is necessary 
to permit access to an indiUduaTs financial ac- 
count. 

(H) Any unique persistent identifier, such 
as a customer number, unique pseudonym or 
user alias, Internet Protocol address, or other 
unique identifier, where such identifier is used 
to collect, store, or identify information about a 
specific individual or a computer, device, or 
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software application owned or used by a par- 
ticular user or that is othei-wise associated with 
a particular user. 

(I) A preference profile. 

(J) Any other information that is collected, 
stored, used, or disclosed in connection with any 
covered information described in subparagraphs 
(A) through (I). 

(6) First party transaction. — The term 
“first party transaction” means an interaction be- 
tiveen an entity that collects covered information 
when an individual visits that entity’s website or 
place of business and the individual from whom cov- 
ered information is collected. 

(7) Operational purpose. — 

(A) In general. — The term “operational 
purpose” means a purpose reasonably necessary 
for the operation of the covered entity, includ- 
ing— 

(i) providing, operating, or improving 
a product or service used, requested, or au- 
thorized by an individual; 

(ii) detecting, preventing, or acting 
against actual or reasonably suspected 
threats to the covered entity’s product or 
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service, including security attacks, unau- 
thorized transactions, and fraud; 

(iii) analyzing data related to use of 
the product or sendee for purposes of opti- 
mizing or improving the covered entity’s 
products, services, or operations; 

(iv) carrjdng out an employment rela- 
tionship with an individual; 

(v) disclosing' covered information 
based on a good faith belief that such dis- 
closure is necessary to comply with a Fed- 
eral, State, or local law, rule, or other ap- 
plicable legal requirement, including disclo- 
sures pursuant to a court order, subpoena, 
summons, or other properly executed com- 
pulsory process; and 

(vi) disclosing covered information to 
a parent company of, controlled subsidiary 
of, or affiliate of the covered entity, or 
other covered entity under common control 
with the covered entitj^ where the parent, 
subsidiary, affiliate, or other covered entity 
operates under a common or substantially 
similar set of internal policies and proce- 
dures as the covered entity, and the poli- 
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1 cies and procedures include adherence to 

2 the eoY'ered entity’s privacy policies as set 

3 forth in its privacy notice. 

4 (B) Exclusion.— Such term shall not in- 

5 elude the use of covered information for mar- 

6 keting, advertising, or sales purposes, or any 

7 use of or disclosure of covered information to 

8 an unaffiliated party for such purposes. 

9 (8) Preference profile.— T he term “pref- 

10 erence profile” means a list of information, cat- 

1 1 egories of information, or preferences associated 

12 with a specific individual or a computer or device 

13 owned or used by a particular user that is main- 

14 tained by or relied upon by a covered entity. 

15 (9) Render anonymous. — The term “render 

16 anonymous” means to remove or obscure covered in- 

17 formation such that the remaining information does 

18 not identify, and there is no reasonable basis to be- 

19 lieve that the information can be used to identify — 

20 (A) the specific individual to whom such 

21 covered information relates; or 

22 (B) a computer or deface owmed or used by 

23 a particular user. 

24 (10) Sensitive iNPOiauiTioN,— The term 

25 “sensitive information” means any information that 
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1 is associated with covered information of an indi- 

2 vidual and relates to that individTial’s — 

3 (A) medical records, including medical his- 

4 toiy, mental or physical condition, or medical 

5 treatment or diagnosis by a health care profes- 

6 sional; 

7 (B) race or ethnicity; 

8 (C) religious beliefs; 

9 (D) sexual orientation; 

10 (E) financial records and other financial 

1 1 information associated with a financial account, 

12 including balances and other financial informa- 

13 tion; or 

14 (P) precise geolocation information. 

15 (11) Serwce provider. — The term “semee 

16 provider” means an entity that collects, maintains, 

17 processes, stores, or otherwise handles covered infor- 

18 mation on behalf of a covered entity, including, for 

19 the purposes of sendng as a data processing center, 

20 proidding customer support, sendng advertisements 

21 to the website of the covered entity, maintaining the 

22 covered entity’s records, or performing other admin- 

23 istrative support functions for the covered entity, 

24 (12) TransactionaIj purpose. — The term 

25 “transactional purpose” means a purpose necessary 
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for effecting, administering, or enforcing a trans- 
action between a covered entity and an indmdual. 

(13) Unafpiliated par, ty.-— T he term “luiaf- 
filiated party” means any entity that is not related 
by common ownership or affiliated by corporate con- 
trol with a covered entity. 

SEC. 3. NOTICE AND CONSENT REQUIREMENTS FOR THE 
COLLECTION, USE, AND DISCLOSURE OF COV- 
ERED INFORMATION. 

(a) Notice and Consent Prior to Collection 
AND Use op Covered Information. — 

(1) In generaIj. — covered entity shall not 
collect, use, or disclose covered infomation from or 
about an individual for any purpose unless such cov- 
ered entity — 

(A) makes available to such indmdual the 
privacy notice described in paragraph (2) prior 
to the collection of any covered information; 
and 

(B) obtains the consent of the indmdual to 
such collection as set forth in paragraph (3). 

(2) Notice requirements. — 

(A) Nature op notice. — 

(i) Collection op information 

THROUGH THE INTERNET.— If the covered 
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entity collects covered information through 
the Internet, the privacy notice required by 
this section shall be — 

(I) posted eleaiij' and conspicu- 
ously on the website of such covered 
entity through which the covered in- 
formation is collected; and 

(II) accessible through a direct 
link from the Internet homepage of 
the covered entity, 

(ii) IVLtNUAL COLLECTION OP INFOR- 
MATION BY MEANS OTHER THAN THROUGH 
THE INTERNET. — If the Covered entity col- 
lects covered information by any means 
that does not utilize the Internet, the pri- 
vacy notice required by this section shall 
be made available to an individual in wait- 
ing before the covered entity collects any 
covered information from that individual. 
(B) Required inforivlvtion.— T he pri- 
vacy notice required under paragraph (1) shall 
include the following infoi’ination: 

(i) The identity of the covered entity 
collecting the covered information. 
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(ii) A description of any covered infor- 
mation collected by the covered entity. 

(iii) How the covered entity collects 
covered information. 

(iv) The specific purposes for which 
the covered entity collects and uses covered 
information. 

(v) How the covered entity stores cov- 
ered information. 

(vi) How the covered entity may 
merge, link, or combine covered informa- 
tion collected about the individual with 
other information about the indmdnal that 
the covered entity may acquire from unaf- 
filiated parties. 

(vii) How long the covered entity re- 
tains covered information in identifiable 
form. 

(Hii) Hmv the covered entity disposes 
of or renders anonymous covered informa- 
tion after the expiration of the retention 
period. 

(ix) The purposes for which covered 
information may be disclosed, and the cat- 
egories of unaffiliated parties who may re- 
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1 

ceive such information for each such pur- 

2 

pose. 

3 

(x) The choice and means the covered 

4 

entity offers individuals to limit or prohibit 

5 

the collection and disclosure of covered in- 

6 

formation, in accordance with this section. 

7 

(xi) The means by and the extent to 

8 

which individuals may obtain access to cov- 

9 

ered information that has been collected by 

10 

the covered entity in accordance with this 

11 

section. 

12 

(xii) A means by which an individual 

13 

may contact the covered entity with any in- 

14 

quiries or complaints regarding the covered 

15 

entity’s handling of covered information. 

16 

(xiii) The process by which the cov- 

17 

ered entity notifies individuals of material 

18 , 

changes to its privacy notice in accordance 

19 

with paragraph (4). 

20 

(xiv) A hyperlink to or a listing of the 

21 

Commission’s online consumer complaint 

22 

form or the toll-free telephone number for 

23 

the Commission’s Consumer Response 

24 

Center. 
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(xv) The effective date of the privacy 
notice, 

(3) Opt-out consent eequirements. — 

(A) Opt-out nature op consent. — A 
covered entity shall be considered to have the 
consent of an indhddual for the collection and 
use of covered information relating to that indi- 
vidual if — 

(i) the covered entity has pro\dded to 
the indradual a clear statement containing 
the information required under paragraph 
(2)(B) and informing the individual that 
he or she has the right to decline consent 
to such collection and use; and 

(ii) the indmdual either affirmatively 
grants consent for such collection and use 
or does not decline consent at the time 
such statement is presented to the indi- 
vidual. 

If an individual declines consent at any time 
subsequent to the initial collection of covered 
information, the covered entity may not collect 
covered information from the individual or use 
covered information previously collected. 
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1 (B) Additional options available. — 

2 covered entity may comply vith this subsection 

3 by enabling an indnidual to decline consent for 

4 the collection and use only of particular covered 

5 information, protdded the individual has been 

6 given the opportunity to decline consent for the 

7 collection and use of all covered information. 

8 (4) Notice and consent to material 

9 CHANGE IN privacy POLICIES.— A covered entity 

10 shall provde the privacy notice required by para- 

11 graph (2) and obtain the express affirmative consent 

12 of the individual prior to — 

13. (A) making a material change in privacy 

14 practices governing previously collected covered 

15 infonnation from that individual; or 

16 (B) disclosing covered information for a 

17 purpose not previously disclosed to the indi- 

18 vdual and which the indmdual, acting reason- 

19 ably under the circumstances, would not expect 

20 based on the covered entity’s prior privac}’ no- 

21 tice. 

22 (5) Exemption for a transactional pub- 

23 POSE or an operational purpose.— 

24 (A) Exemption prom notice require- 

25 MENTS. — The notice requirements in this sub- 
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section shall not apply to covered information 
that— 

(i) is collected by any means that does 
not utilize the Internet, as described in 
paragraph (2)(A)(ii); and 

(ii) (I) is collected for a transactional 
purpose or an operational purpose; or 

(II) consists solely of information de- 
scribed in subparagraphs (A) through (D) 
of section 2(5) and is part of a first party 
transaction. 

(B) Exemption prom consent require- 
ments. — The consent requirements of this sub- 
section shall not apply to the collection, use, or 
disclosure of covered information for a trans- 
aetiorial purpose or an operational purpose, but 
shall apply to the collection by a covered entity 
of covered information for marketing, adver- 
tising, or selling, or any use of or disclosure of 
covered information to an unaffiliated party for 
such purposes. 

(b) Express Consent Required for Disclosure 
Co\t5red Information to Unapfillvted Par- 


24 ties.' 
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(1) In general. — covered entity may not 
sell, share, or otherwise disclose covered information 
to an imaffiliated party without first obtaining the 
express affirmative consent of the iiidmdual to 
whom the covered information relates. 

(2) Withdrawal op consent.-— A covered en- 
tity that has obtained express affirmative consent 
from an indmdual must provide the individnal with 
the opportunity, without charge, to withdraw? such 
consent at any time thereafter. 

(3) Exemption fob certain information 
SHARING with SERVICE PROVIDERS. — The Consent 
requirements of this subsection, shall not apply to 
the disclosure of covered information by a covered 
entity to a service provider for purposes of executing 
a first party transaction if — 

(A) the covered entity has obtained consent 
for the collection of covered information pursu- 
ant to subsection (a); and 

(B) the ser\dce prmdder agi'ees to use such 
covered information solely for the purpose of 
providing an agreed-upon sendee to a covered 
entity and not to disclose the covered informa- 
tion to any other person. 
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1 (c) Express Consent for Collection or Dis- 

2 CLOSURE OP Sensitive iNPORmTiON.— A covered ent% 

3 shall not collect or disclose sensitive information from or 

4 about an individual for any purpose unless such covered 

5 entity — 

6 (1) makes available to such indmdual the pri- 

7 vacy notice described in subsection (a)(2) prior to 

8 the collection of any sensitive information; and 

9 (2) obtains the express affirmative consent of 

10 the individual to whom the sensitive information re- 

11 lates prior to collecting or disclosing such sensitive 

12 information. 

13 (d) Express Consent for Collection or Dis- 

14 closure op Ai.iL or Substantl\lly iVr.iL op an Indi- 

15 tUDUAL’s Online Activity. — ^A covered entity shall not 

16 collect or disclose covered information about all or sub- 

17 stantially all of an individual’s online activity, including 

18 across websites, for any purpose unless such covered enti- 

19 ty— 

20 (1) makes available to such individual the pri- 

21 vacy notice described in subsection (a)(2) prior to 

22 the collection of the covered information about all or 

23 substantially all of the individual’s online activity; 

24 and 
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1 (2) obtains the express affirmative consent of 

2 the individual to whom the covered information re- 

3 lates prior to collecting or disclosing such covered in- 

4 formation, 

5 (e) Exception fob Individual ^Lvnaged Pbep- 

6 ERENCE Profiles. — Notwithstanding subsection (b), a 

7 covered entity may collect, use, and disclose covered infor- 

8 mation if— 

9 (1) the covered entity provides individuals with 

10 the ability to opt out of the collection, use, and dis- 

11 closure of covered information by the covered entity 

12 using a readily accessible opt-out mechanism where- 

13 by, the opt-out choice of the individual is preseived 

14 and protected from incidental or accidental deletion, 

15 including by- 

lb (A) website interactions on the covered en- 

17 tity’s website or a website where the preference 

18 profile is being used; 

19 (B) a toll-free phone number; or 

20 (C) letter to an address provided by the 

21 covered entity; 

22 (2) the covrered entity deletes or renders anony- 

23 mous any covered information not later than 18 

24 months after the date the covered information is 

25 first collected; 
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1 (3) the covered entity includes the placement of 

2 a symbol or seal in a prominent location on the 

3 website of the covered entity and on or near any ad- 

4 vertisements delivered by the covered entity based on 

5 the preference profile of an indmdual that enables 

6 an individual to connect to additional information 

7 that — 

8 (A) describes the practices used by the cov- 

9 ered entity or by an advertisement network in 

10 which the covered entity participates to create 

11 a preference profile and that led to the delivery 

12 of the advertisement using an individual’s pref- 

13 erence profile, including the information, cat- 

14 egories of information, or list of preferences as- 

15 sociated with the indmdual that may have led 

16 to the deliveiy of the advertisement to that indi- 

17 rtdual; and 

18 (B) allows individuals to rertew and mod- 

19 ify, or completely opt out of having, a pref- 

20 erence profile created and maintained by a cov- 

21 ered entity or by an advertisement network in 

22 which the covered entity participates; and 

23 (4) an advertisement network to which a cov- 

24 ered entity^ discloses covered information under this 

25 subsection does not disclose such covered informa- 
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tion to any other entity without the express affirma- 
tive consent of the individual to whom the covered 
information relates. 

SEC. 4, ACCURACY AND SECURITY OF COVERED INFORMA- 
TION AND CONSUMER EDUCATION CAM- 
PAIGN. 

(a) Accuracy. — Each covered entity shall establish 
reasonable procedures to assure the accuracy of the cov- 
ered information it collects. 

(b) Security op Covered Information.— 

(1) In general. — covered entity or service 
provider that collects covered information about an 
individual for any purpose must establish, imple- 
ment, and maintain appropriate administrative, 
technical, and physical safeguards that the Commis- 
sion determines are necessary to — 

(A) ensure the security, integiity, and con- 
fidentiality of such information; 

(B) protect against anticipated threats or 
hazards to the security or integrity of such in- 
formation; 

(C) protect against unauthorized access to 
and loss, misuse, alteration, or destraction of, 
such information; and 
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1 (D) in the event of a securhy breach, de- 

2 termine the scope of the breach, make every 

3 reasonable attempt to prevent further unauthor- 

4 ized access to the affected covered information, 

5 and restore reasonable integrity to the affected 

6 covered information. 

7 (2) Factors for appropriate sai^'e- 

8 GUARDS. — In developing standards to carry out this 

9 section, the Commission shall consider the size and 

10 complexity of a covered entity, the nature and scope 

1 1 of the acthaties of a covered entity, the sensitivity of 

12 the covered information, the current state of the art 

13 in administrative, technical, and physical safeguards 

14 for protecting information, and the cost of imple- 

15 menting such safeguards. 

16 (c) Consumer Education.— The Commission shall 

17 conduct a consumer education campaign to educate the 

18 public regarding opt-out and opt-in consent rights af- 

19 forded by this Act. 

20 SEC. 5. USE OF AGGREGATE OK ANONYMOUS INFORMA- 

21 TION. 

22 Nothing in this Act shall prohibit a eov^ered entity 

23 from collecting or disclosing aggregate information or eov- 

24 ered information that has been rendered anonymous. 
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1 SEC. 6. USE OF LOCATION-BASED INFORMATION. 

2 (a) In General.- — -E xcept as provided in section 

3 222(d) of the Comiminieations Act of 1934 (47 IJ.S.C. 

4 222(d)), any provider of a product or seryice that uses 

5 location-based information shall not disclose such location- 

6 based information concerning the user of such product or 

7 sendee without that user’s express opt-in consent. A user’s 

8 express opt-in consent to an application provider that re- 

9 lies on a platform offered by a commercial mobile service 

10 provider shall satisfy the requirements of this subsection. 

11 (b) Ai-iendment. — Section 222(h) of the Commu- 

12 nieations Act of 1934 (47 U.S.C. 222(h)) is amended by 

13 adding at the end the following: 

14 “(8) Call location information.— The term 

15 ‘call location information’ means any location-based 

16 information.” 

17 SEC. 7. FEDERAL COMMUNICATIONS COMMISSION REPORT. 

18 Not later than 1 year after the date of enactment 

19 of this Act, the Federal Communications Commission shall 

20 transmit a report to the Committee on Energy and Com- 

21 merce of the House of Representatives and the Committee 

22 on Commerce, Science, and Transportation of the Senate 

23 describing — ■ 

24 (1) all provisions of United States conimnnica- 

25 tions law, including proUsions in the Coiiimnnica- 
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1 tions Act of 1934, that address subscriber privacy; 

2 and 

3 (2) how those provisions may be harmonized 

4 tvith the provisions of this ilct to create a consistent 

5 regulatory regime for covered entities and indmd- 

6 uals. 

7 SEC. 8. ENFORCEMENT. 

8 (a) Enforcement by the Federal Trade Com- 

9 MISSION.— 

10 (1) Unfair or deceptive acts or pr^ac- 

11 TICES. — violation of this Act shall be treated as 

12 an unfair and deceptive act or practice in violation 

13 of a regulation under section 18(a)(1)(B) of the 

14 Federal Trade Commission Act (15 U.S.C. 

15 57a(a)(l)(B)) regarding unfair or deceptive acts or 

16 practices. 

17 (2) POVT3RS OP COMMISSION.— The Commis- 

18 sion shall enforce this Act in the same manner, by 

19 the same means, and vdth the same jurisdiction, 

20 powers, and duties as though all applicable terms 

21 and provisions of the Federal Trade Commission Act 

22 (15 U.S.C. 41 et seq.) were incorporated into and 

23 made a part of this Act, Any person who rtolates 

24 such regulations shall be subject to the penalties and 

25 entitled to the privileges and immunities provided in 
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1 that Act. Notwithstanding any proAasion of the Fed- 

2 eral Trade Commission Act or any other provision of 

3 law and solely for purposes of this Act, common car- 

4 riers subject to the Communications Act of 1934 (47 

5 U.S.C. 151 et seq.) and any amendment thereto 

6 shall be subject to the jurisdiction of the Commis- 

7 sion. 

8 (3) Rulemaking authority and limita- 

9 TION. — The Commission may, in accordance with 

10 section 553 of title 5, United States Code, issue 

11 such regulations it determines to be necessary to 

12 cany out this Act. In promulgating rules under this 

13 Act, the Commission shall not require the deploy- 

14 ment or use of any specific products or technologies, 

15 including any specific computer software or hard- 

16 ware. 

17 (b) Enforcement by State Attorneys Gbn- 

18 ERAL. — 

19 (1) Cmu ACTION. — In any case in which the 

20 attorney general of a State, or agency of a State 

21 hawng consumer protection responsibilities, has rea- 

22 son to believe that an interest of the residents of 

23 that State has been or is threatened or adversely af- 

24 fected by any person who violates this Act, the attor- 

25 ney general or such agency of the State, as parens 
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patriae, may bring a civil action on behalf of the 
residents of the State in a district court of the 
United States of appropriate jurisdiction to — 

(A) enjoin further riolation of such section 
by the defendant; 

(B) compel compliance with such section; 

(C) obtain damage, restitution, or other 
compensation on behalf of residents of the 
State; or 

(D) obtain such other relief as the court 
may consider appropriate. 

(2) Intervention by the etc. — 

(A) Notice and intervention. — The 
State shall provide prior written notice of any 
action under paragraph (1) to the Commission 
and provide the Commission with a copy of its 
complaint, except in any case in which such 
prior notice is not feasible, in w’hich case the 
State shall serve such notice immediately upon 
instituting such action. The Commission shall 
have the right — 

(i) to intervi-ene in the action; 

(ii) upon so intervening, to be heard 

on all matters arising therein; and 

(iii) to file petitions for appeal. 
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1 (B) Limitation on state action while 

2 FEDERAL ACTION IS PENDING. — If the Commis- 

3 sion has instituted a civil action for riolation of 

4 this Act, no State attorney general or agency of 

5 a State may bring an action under this sub- 

6 section during the pendency of that action 

7 against any defendant named in the complaint 

8 of the Commission for any violation of this Act 

9 alleged in the complaint. 

10 (3) Construction. — ^^Por purposes of bringing 

11 any cml action under paragraph (1), nothing in this 

12 Act shall be construed to prevent an attorney gen- 

13 eral of a State from exercising the powers conferred 

14 on the attorney general by the laws of that State 

15 to — 

16 (A) conduct investigations; 

17 (B) administer oaths or affirmations; or 

18 (C) compel the attendance of mtnesses or 

19 the production of documentaiy and other ew- 

20 deuce. 

2 1 SEC. 9. NO PRIVATE RIGHT OF ACTION. 

22 This Act may not be considered or constnied to pro- 

23 vide any private right of action. No private civil action 

24 relating to any act or practice governed under this Act 

25 may be commenced or maintained in any State court or 
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1 raider State law (including a pendent State claim to an 

2 action under Federal law). 

3 SEC. 10. PREEMPTION. 

4 This Act supersedes any piwision of a statute, regu- 

5 lation, or mle of a State or political subdivision of a State, 

6 that includes requirements for the collection, use, or dis- 

7 closure of covered information. 

8 SEC. 11. EFFECT ON OTHER tAWS. 

9 (a) Ai=-plication op Other Federal Privacy 

10 Laws. — Except as provided expressl}^ in this Act, this Act 

1 1 shall have no effect on activities covered by the following: 

12 (1) Title V of the Gramm-Leach-Bliley Act (15 

13 U.S.C. 6801 et seq.). 

14 (2) The Fair Credit Reporting Act (15 U.S.C. 

15 1681 et seq.). 

16 (3) The Health Insurance Portability and Ac- 

17 countability Act of 1996 (Public Law 104-191). 

18 (4) Part C of title XI of the Social Security Act 

19 (42 U.S.C. 1320d et seq.). 

20 (5) The Communications Act of 1934 (47 

21 U.S.C. 151 et seq.). 

22 (6) The Children’s Online Privacy Protection 

23 Act of 1998 (15 U.S.C. 6501 et seq.). 

24 (7) The CAN-SPAM Act of 2003 (15 U.S.C. 

25 7701 et seq.). 


(;\VHLC\050310\050310.209,xmi 
Mays, 2010j4:55p.m.) 
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1 (b) Commission Authoeity. — Nothing contained in 

2 this Act shall be construed to limit authority piwdded to 
, 3 the Commission under any other law. 

4 SEC. 12. EFFECTIVE DATE. 

5 Unless otherwise specified, this Act shall apply to the 

6 collection, use, or disclosure of, and other actions with re- 

7 spect to, covered information that occurs on or after the 

8 date that is one year after the date of enactment of this 

9 Act. 
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And now I recognize the Ranking Member of the Subcommittee, 
Mr. Whitfield, for 5 minutes for the purposes of an opening state- 
ment. 

OPENING STATEMENT OF HON. ED WHITFIELD, A REPRESENT- 
ATIVE IN CONGRESS FROM THE COMMONWEALTH OF KEN- 
TUCKY 

Mr. Whitfield. Well, Chairman Rush, thank you very much and 
we certainly appreciate our panel of expert witnesses here today. 
As you know we are having this hearing to explore privacy legisla- 
tion. I want to commend Chairman Rush for introducing his bill 
and want to thank him and his staff for giving us an opportunity 
to review that legislation. And all of us recognize that some steps 
need to be taken in this area, and we are hopeful that after today’s 
hearing a lot of these issues will be clarified even more for us be- 
cause as I said in the beginning we look forward to your testimony 
on this important issue. 

It seems to me the threshold question is whether Congress can 
require meaningful protections without forcing businesses online 
and offline to abandon or severely curtail legitimate business prac- 
tices that benefit consumers. We know that it is easy to misuse in- 
formation, and we also know there are benefits from sharing infor- 
mation, so that balancing act is very important. The problem I be- 
lieve for most consumers is the lack of understanding about how 
their information is collected, and once used how — and once they 
provide it how that is being used, and the impact that it has on 
them. 

This is a preparatory hearing and we always have a lot of con- 
cerns about legislation, particularly when it is in the area of pri- 
vacy. One of the areas that I have some concern about is that the 
first party, third party distinction created by this bill could also 
give certain players in the Internet ecosystem a competitive advan- 
tage over others, and I think we need a level playing field. I think 
it would be very difficult also for Congress to be involved of every 
nuance of privacy, and I think we need to be very careful about the 
latitude that we give the FTC in this area. 

One of the areas that is vitally important obviously in policing 
any legislation is the enforcement mechanism. I am always con- 
cerned about private rights of action because I know in some in- 
stances it has really created a cottage industry for trial lawyers 
seeking to manufacture privacy concerns. But I also know that 
sometimes those appear to be — these private rights of actions seem 
to be a good way to go. 

I do support the ability of State Attorneys General to enforce the 
Federal Statute. I don’t think this bill goes far enough in terms of 
preempting state laws, creating the possibility that despite the 
bill’s intent, covered entities would be subject to actions under mul- 
tiple potentially conflicting laws or legal theories for conduct sanc- 
tioned by this bill. 

Whatever Congress ultimately enacts consumers will not care 
really about the corporate structure or the regulatory regime that 
governs the entity collecting their information. They only want to 
be sure that their information is treated the same by all entities 
and that they have reasonable protection. And I feel quite confident 
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that when we enact privacy legislation that we will have a bal- 
anced bill that everyone will be satisfied with. Maybe I shouldn’t 
say everyone, but most people will be satisfied with, and of course, 
that is our objective. 

Now I yield back the balance of my time. 

[The prepared statement of Mr. Whitfield follows:] 
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Statement of the Honorable Ed Whitfield 
Ranking Member, Subcommittee on Commerce, Trade, and Consumer Protection 
Hearing on Privacy Drafts 
July 22, 2010 


• Thank you for calling this hearing on two well intentioned pieces of legislation intended 
to address privacy protections for consumers. This is not an easy topic to legislate, but 
protections are overdue. 

• lam glad we are able to assemble a panel of witnesses on short notice to comment on tiie 
two drafts and hope they can further enlighten us on the impact of these provisions. 


• I think these are both good starting points for discussion as we try and tackle the best way 
to provide consumer with the information they need about what and how their 
information will be collected and used by commercial entities. 

• The threshold question is whether we can provide meaningful protections without forcing 
businesses - online and offline - to start their business over from scratch. The proverbial 
“genie” is out of the bottle, allowing information to be collected, stored, and shared for 
various purposes on a daily basis, often unbeknownst to the consumer. 

• That is not to say the infonnation is always used for nefarious purposes. Indeed, there are 
many benefits that have accrued to consumers through customization and free services 
supported most often by advertisements. 


• The problem for most consumers is the loss of control of their information once they 
surrender it in exchange for something of value, and who gets to use that information. 

• My concerns after reviewing the drafts center on the consent provisions, the effect on 
different business models and the enforcement provisions. 

• 1 believe the Federal Trade Commission and its track record as a consumer protection 
enforcement agency is best suited to be the Federal agency in charge. But I do have 
concerns about the private rights of action as an additional enforcement mechanism or 
deterrent. 

• Whatever Congress ultimately enacts, consumers will not care about the corporate 
structure or the regulatory regime that governs the entity collecting their information. 
They only want to be sure their information is treated the same with every business with 
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whom they transact. If we keep that principle as a guiding tenet I am sure we can provide 
meaningful protections many consumers desire. 

• Thank you 



89 


Mr. Rush. We will be seeking everyone on this bill. We will now 
have Ms. Castor for 2 minutes. 

OPENING STATEMENT OF HON. KATHY CASTOR, A REP- 
RESENTATIVE IN CONGRESS FROM THE STATE OF FLORIDA 

Ms. Castor. Thank you, Chairman Rush, very much, and thank 
you to the witnesses for being here today. I am looking forward to 
your discussion of consumer privacy in the Internet age, and such 
an exciting age of technological innovation. And I hope your com- 
ments will be directed to the two draft discussion bills that are on 
the table. We need your expert advice on how we balance the im- 
portant competing interests of personal privacy and business inno- 
vation. 

We do need to have rules in place that give consumers the option 
to share their information or keep it private. Both bills before us 
require that companies explain to consumers what information is 
being collected and gives them the ability to opt out of certain data 
collection practices. And I think this is what consumers are looking 
for. They want a simple explanation followed by a choice. But there 
are literally thousands — millions of new businesses that have been 
created as a result of the ability to share information, and I think 
that this is absolutely vital that we protect that interest as well. 
Nearly all Internet businesses rely on some form of information 
gathering. So we want to insure that these businesses continue to 
grow, and flourish, but in a way that protects — that promotes 
transparency for the consumer. 

So thank you for being here and thank you, Mr. Chairman. I 
yield back. 

Mr. Rush. Mr. Scalise, you are recognized for 2 minutes. 

OPENING STATEMENT OF HON. STEVE SCALISE, A REP- 
RESENTATIVE IN CONGRESS FROM THE STATE OF LOU- 
ISIANA 

Mr. Scalise. Thank you, Mr. Chairman. I want to thank you and 
Ranking Member Whitfield for having this hearing on the bills be- 
fore us today, both focusing on consumer privacy. I am pleased that 
we are once again examining this issue and that legislation has 
been brought forward with the goal of protecting consumers and 
their personal information. I look forward to hearing from our pan- 
elists and discussing the merits of these bills. As we take them into 
consideration and debate the best steps moving forward, I hope we 
proceed wisely and carefully. 

As I have stated at previous hearings, I hope we focus on how 
to protect consumers and their personal information, and look at 
steps the industry will take on their own to do that. We need to 
make sure that these bills do not focus on ways government can 
get involved in more areas of people’s lives where it does not be- 
long. For this reason, I hope these bills take self-regulation into ac- 
count and include provisions that allow companies to continue with 
steps that they have already taken to protect personal information. 
If self-regulation is not sufficient, and if any additional privacy pro- 
visions or regulatory requirements are needed, they should be tar- 
geted, consistent, and not discriminate against any one business or 
industry. Congress should not pick winners and losers. 
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I also hope that these hills do not harm the ability to maintain 
or invest in their businesses. We must strike a balance that pro- 
tects personal information without limiting a company’s ability to 
do business in an honest and ethical way. Again, I will look for- 
ward to hearing from our panelists on whether they feel these bills 
strike that important balance. 

Mr. Chairman, I also want to close by addressing the rumors 
that FCC Chairman Genachowski may add broadband classifica- 
tion to the commission’s September 16 agenda. First of all, I do not 
believe that the FCC should reclassify broadband services or im- 
pose burdensome regulations on the Internet. And more impor- 
tantly, the FCC should definitely not rush any process that gives 
Congress little time to react after returning from recess. 

Over 8,000 pages of comments have been submitted to the FCC 
on this proposal, and the comment period is open until August 12. 
For reclassification to be on the September 16 agenda, the other 
commissioners would have to receive chairman’s proposal by Au- 
gust 26, giving the commissioners 2 weeks to review the thousands 
of comments. Clearly we need to make sure that they have that 
ability to review those comments from the public. So I hope those 
rumors are in fact just rumors. Otherwise it would seem that the 
FCC intends on ignoring those 8,000 pages of comments as well as 
the bipartisan staff discussions that are ongoing on this issue. We 
must continue to pursue targeted legislation that serves the Amer- 
ican people, not a hastened process that serves a political agenda. 

Thank you, and I yield back. 

Mr. Rush. The chair recognizes now the gentleman from Georgia, 
Mr. Barrow, for 2 minutes. 

Mr. Barrow. Thank you. Chairman, I will waive time. 

Mr. Rush. Mr. Green, you are recognized for 2 minutes. 

OPENING STATEMENT OF HON. GENE GREEN, A 
REPRESENTATIVE IN CONGRESS FROM THE STATE OF TEXAS 

Mr. Green. Thank you, Mr. Chairman. Thank you Chairman 
Rush, and Ranking Member Whitfield. I want to thank you for 
raising the issue of consumer privacy and for holding this hearing 
today, and also Chairmen Rush and Boucher, as well as Ranking 
Member Stearns for introducing the bills which we examine today. 

As technology continues to evolve, the privacy implications for 
consumers require frequent reexamination by Congress. In 2003 we 
passed the Canned Spam Act that countered the alarming rise of 
unsolicited span email messages that interfered with the use of 
Internet and email by in users. Today technology has continued its 
progress and as a result, we are once again confronted with chal- 
lenges for protecting consumers and ensuring that private data is 
not shared without consent. 

The ability to easily aggregate and share information over the 
Internet has provided tremendous benefits to our society and our 
economy, and the collection of consumer information can provide 
tremendous benefits to small and upstart businesses by allowing 
them to target customers that have tendencies to purchase individ- 
ualized products or services. One problem, however, is that these 
are not the only ones using the data, and the ability and entire en- 
tities that sell this information to collect such a wide variety of in- 
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formation on individuals is extremely troubling because it allows 
bad actors to target vulnerable individuals based on very specific 
and granular data that has been collected across a number of on- 
line and offline platforms. We have laws that regulate how this in- 
formation can he used by financial institutions in relating to med- 
ical record privacy, but outside these defined areas the information 
is largely unregulated and has the potential for being tremendously 
harmful to consumers. 

I am pleased that our committee is confronting these challenges 
head on. It is important that we examine methods that introduce 
transparency into the system and give the consumers the ability to 
have control over the large scale data. Collection is currently occur- 
ring at most times without their knowledge. And I look forward to 
hearing the testimony from witnesses. 

Mr. Chairman, I yield back. 

Mr. Rush. Mr. Latta is recognized for 2 minutes. 

OPENING STATEMENT OF HON. ROBERT E. LATTA, A 
REPRESENTATIVE IN CONGRESS FROM THE STATE OF OHIO 

Mr. Latta. Thank you, Mr. Chairman, Ranking Member Whit- 
field. I appreciate you holding today’s hearing on the important 
issue of protecting an individual’s privacy. 

Meaningful legislation to protect consumer’s data is important, 
as there have been recently high profile incidences involving the 
compromising of consumer data that has increased privacy and 
concerns. There are many benefits that the Internet provides con- 
sumers and it is important that consumers are protected. However, 
as with many of the public policy issues that this Subcommittee 
considers, there needs to be a balance between protecting con- 
sumers and overburdening companies with regulations. 

The collection of consumer information is a great benefit to com- 
panies that process transactions as well as to market their prod- 
ucts. In addition, many of these company’s products are based on 
information that the consumers submit to then obtain information 
specific to them. This personal information must be protected 
whether it regards personal health, employment, or any other in- 
formation. 

While it is important for companies to disclose their privacy prac- 
tices, companies should not have to disclose the propriety practices 
or information for collecting this information. In moving forward on 
either of these pieces of legislation, we need and to ensure that by 
expanding the authority of a government agency that there are no 
unintended consequences on ecommerce. I have heard concerns, es- 
pecially from small businesses, about this legislation have a 
chilling effect on ecommerce and curbing innovation. These small 
businesses are concerned that increased regulations will have nega- 
tive effect on their businesses and have increased costs for them, 
and those that are self-employed ultimately which would then have 
to be borne by the consumers. 

I will look forward to working — continue to work on — with the 
Subcommittee on this important issue relating to protecting con- 
sumer’s privacy. In this time of rapidly advancing technology, we 
must protect personal information. I am hoping that this balance 
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can be achieved for all the parties involved, and with that, Mr. 
Chairman, I yield back. Thank you. 

Mr. Rush. The Chair recognizes Mr. Stearns for 5 minutes. 
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Statement of the Honorable Joe Barton 
Ranking Member, Committee on Energy and Commerce 
Hearing on Privacy Discussion Drafts 
July 22, 2010 

Thank you, Mr. Chairman. 

I want to thank both Chairman Boucher and Chairman Rush for their efforts 
to advance the discussion on protecting consumer privacy. This is a topic several 
years in the making, and I suspect we may be reviewing this issue for a bit longer. 

I will say that the timing of this hearing is a bit problematic. We all want to 
make sure we get this right, but we can only do that when both Members and 
stakeholders have adequate time to review what is proposed. We have not been 
afforded the time necessary to fully assess this latest draft before today’s hearing, 
and Chainnan Rush’s bill was only released to the public on Monday. The 
deadline for testimony was Tuesday night, and I therefore wonder whether the 
comments given to us today can present a robust picture of the bills. I know 
everyone is in a rush to get home for August recess, but we have plenty of time left 
in our congressional session to schedule a hearing and allow Members, staff, and 
stakeholders the appropriate amount of time to fully examine such important 
proposals. 

That said, 1 want to thank both Chairmen for their hard work. Both drafts 
provide us with a good framework for this discussion. I’m sure there are parts 
from both of these proposals that we will want to consider. 



94 


1 continue to believe strongly that our information is our property, and we 
should be able to control who gets that information and what they can do with it. 
But I also recognize the value of this information to our economy and to businesses 
that provide valuable services and products that we want, often for free. Our lives 
would be very different if innovation were stifled, - especially in the online world, 
and the deregulatory approach in that space has unleashed great minds and great 
companies. 

I will keep my comments today short because I am much more interested in 
what the experts before us have to say about these two drafts, as well as their 
thoughts and recommendations on comprehensive privacy legislation in general. 

In particular, I would like the witnesses to indicate whether the drafts apply their 
requirements to all parties in a competitively neutral fashion, and whether they 
address the types of issues raised by the newest data collection and use models as 
well as by Google’s monitoring of WiFi connections and collection of user data 
without notice or consent. 

I look forward to working with both of my friends, Mr. Boucher and Mr. 
Rush, as we continue our work in this area. 


I yield back. 
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OPENING STATEMENT OF HON. CLIFF STEARNS, A REP- 
RESENTATIVE IN CONGRESS FROM THE STATE OF FLORIDA 

Mr. Stearns. Thank you, Mr. Chairman, and like other mem- 
bers, I am very glad we are having the hearing on H.R. 5777, Best 
Practices Act, as well as the proposal drafted by Mr. Boucher, the 
Chairman of the Communication, Technology, and the Internet 
Subcommittee, the CTI Subcommittee. I was a sponsor, principal 
sponsor with Mr. Boucher on his bill, and so I am happy to join 
with him in soliciting comments as he did over the some 70 days. 
And as many of you perhaps know that I have had a lot of experi- 
ence working on this privacy issue. It is complex, involves a broad 
range of interests. During my time as Chairman of this Sub- 
committee I introduced several privacy bills, so I understand the 
importance of transparency when it comes to collection, use and 
sharing of consumer information. Now it is my capacity as the CTI 
Subcommittee, I have been focusing on privacy issues and the 
Internet, which it becomes so ubiquitous in our everyday lives, that 
we have started to presume, just presume a certain level of privacy 
that may not actually exist, so that is why I think we should be 
looking at this privacy situation. 

We must recognize that online advertising supports much of the 
commercial content, applications, and services that are available on 
the Internet today without charge and my colleagues, we do not 
want to disrupt this well-established and successful business 
model. 

Now this bill Best Practices seeks to enhance transparency over 
the commercial use of personal information that provides con- 
sumers with choices about the collection, use, and disclosure of this 
information. I support providing consumers with choices and trans- 
parency, but we must also keep in mind that only the consumer 
knows how he or she feels about the information that is being col- 
lected, the parties doing the collecting and the purpose for which 
the information for which the information is ultimately collected. 
Congress cannot and should not make that decision for them. 

Now I do have some concern with this Best Practices Act as cur- 
rently drafted, including the overly expansive definition of covered 
information. The private right of action with uncapped punitive 
damages and the safe harbor provision which is too prescriptive 
and relies too heavily on the Federal Trade Commission. In order 
to have an effective safe harbor and privacy legislation we must 
craft a provision that creates the right incentives for businesses to 
subscribe to the very best practices with respect to the use of per- 
sonal information of those consumer’s standards that have been de- 
veloped over time and are capable of being modified rapidly to ad- 
dress any new significant consumer privacy concern about busi- 
nesses use of consumer’s data. 

I would like to work with my colleagues to develop a better self- 
regulatory structure that will protect consumers while creating the 
proper incentives for businesses to adopt and maintain the best pri- 
vacy and protection standards. I obviously appreciate having these 
hearings. I regret though, Mr. Chairman, we are having a hearing 
only four days after the bill was publicly released. This is an im- 
portant and complicated topic, and members, and staff, and our 
witnesses need more time to adequately analyze the provisions in 
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this legislation. It is a credit to Mr. Boucher. He released this pri- 
vacy discussion draft on May 4, and he allowed ample time for 
comments. And if I recollect correctly, there were 70 different orga- 
nizations, companies, universities, colleges, and concerned citizens 
that have taken the time to send their comments on this discussion 
draft. 

So we have a — plenty of information to consider for his bill. So 
there is clearly a lot of interest out in privacy — out in the industry 
for privacy legislation. I feel that more time allowed for more ro- 
bust discussion is necessary, so I hope we have that in the future. 
But again I appreciate your work, and the leadership on this issue, 
and also Mr. Boucher’s hard work as I look forward to working 
with members of both Subcommittees as we try to find the good, 
equal balance of protecting consumers and allowing innovation to 
flourish. 

I will just conclude and sort of mention which Mr. Scalise men- 
tioned a little bit about the FCC and their haste to move the — from 
Title I to Title II, the Internet jurisdiction, and I would say — one 
thing that I would add to his comment is when we get back in Sep- 
temb^er it will only be a couple of days perhaps until the FCC acts, 
and that is really not enough time for us to even consider what 
they are doing, so again, I urge as Mr. Scalise did that the FCC 
hold off. Thank you, Mr. Chairman. 

Mr. Rush. The Chair thanks all the members for their opening 
statements, the Chair really wants to reassure every member of 
this Subcommittee that the time to — necessary for deliberation will 
be forthcoming at that in no way do we expect to rush — pardon the 
pun — to rush towards judgment. However, we do feel as though we 
need to start this process in a robust way and a robust manner, 
and that is what was the intention of the Chairman. You know, 
discussion has got to end sometime and now is the time for the dis- 
cussion to be ended and the work to begin. 

So with that said, I want to welcome our witnesses now and I 
am so honored that these individuals have taken the time out from 
their busy schedule to come and share with this subcommittee 
their valuable information, insight, and their expertise on this most 
important matter that affects us, the American people. I want to 
introduce them now. From my left is Mr. David Vladeck 

Mr. Vladeck. Vladeck. 

Mr. Rush. Vladeck. He is the Director of the Bureau of Con- 
sumer Protection for the Federal Trade Commission. Seated next 
to Mr. Vladeck is Leslie — Ms. Leslie Harris. She is the President 
and CEO of the Center for Democracy and Technology. Next to Ms. 
Harris is Mr. David Hoffman. He is the Global Privacy Officer for 
the Intel Corporation. Seated next to Mr. Hoffman is Mr. Ed 
Mierzwinski. He is the Consumer Program Director for the U.S. 
Public Interest Research Group. And next to Mr. Mierzwinski is 
Mr. Ira Rubinstein. He is the adjunct Professor of Law in the New 
York School of Law. And next to Mr. Rubinstein is Mr. Jason Gold- 
man. He is in Counsel, Technology, and E-commerce for the U.S. 
Chamber of Commerce. And then we have seated next to Mr. Gold- 
man is Mr. Mike Zaneis, and Mr. Zaneis is the Vice-President of 
the Public Policy Interactive Advertising Bureau. Again, thank you 
all so very much for being present here at this hearing, and it is 
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the practice of this subcommittee to swear in the witnesses, and I 
ask each of you if you would stand and raise your right hand. 
There is a big panel of witnesses we got here. 

[Witnesses sworn.] 

Mr. Rush. Please let the record reflect that the witnesses have 
all answered in the affirmative and now we will begin with testi- 
mony from our witnesses. We will begin with Mr. Vladeck. Mr. 
Vladeck, you are recognized for 5 minutes. 

TESTIMONY OF DAVID VLADECK, DIRECTOR, BUREAU OF CON- 
SUMER PROTECTION, FEDERAL TRADE COMMISSION; LES- 
LIE HARRIS, PRESIDENT AND CHIEF EXECUTIVE OFFICER, 
CENTER FOR DEMOCRACY AND TECHNOLOGY; DAVID HOFF- 
MAN, GLOBAL PRIVACY OFFICER, INTEL CORPORATION; ED 
MIERZWINSKI, CONSUMER PROGRAM DIRECTOR, U.S. PUB- 
LIC INTEREST RESEARCH GROUP; IRA RUBINSTEIN, AD- 
JUNCT PROFESSOR OF LAW, NEW YORK UNIVERSITY 
SCHOOL OF LAW; JASON GOLDMAN, COUNSEL, TECH- 
NOLOGY AND E-COMMERCE, U.S. CHAMBER OF COMMERCE; 
AND MIKE ZANEIS, VICE PRESIDENT, PUBLIC POLICY, 
INTERACTIVE ADVERTISING BUREAU 

TESTIMONY OF DAVID VLADECK 

Mr. Vladeck. Thank you very much, Chairman Rush, Member 
Whitfield, members of the Committee, I really appreciate the op- 
portunity to be here today. 

The Federal Trade Commission has a long track record of pro- 
tecting consumer privacy. The Commission began examining online 
privacy in the mid-1990’s. Initially the Commission’s work was 
built on the so-called Fair Information Practice principles of notice, 
choice, access, and security. The Commission’s efforts were widely 
credited with raising public awareness about privacy, prompting 
companies to post privacy policies online for the first time and im- 
proving companies’ accountability for privacy practices. 

In the early 2000’s the FTC shifted its focus and targeted harm- 
ful uses of information, uses presenting risks to physical security, 
economic injury, or causing unwarranted intrusions. This approach 
was designed to protect privacy without imposing costly notice and 
choice requirements for all uses of information. The Commission’s 
privacy agenda included aggressive enforcement on data security, 
children’s privacy, spam, spyware, and unwanted telephone calls, 
telemarketing robocalls. 

Last year the Commission announced that it was going to again 
re-evaluate its approach to privacy. We recognize that the tradi- 
tional models governing consumer privacy have limitations. The 
Fair Information Practices model placed a heavy burden on con- 
sumers to read and understand complicated and lengthy privacy 
policies, and then make choices about the collection and use of 
their data. The harm-based model generally did not address con- 
cerns about having one’s personal information exposed where there 
is no direct intangible consequence. Often, harms to consumers 
were addressed after they occurred. 

Late last year the Commission began its re-evaluation of privacy 
by holding three round tables which highlighted a number of im- 
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portant themes. First and most urgently consumers do not under- 
stand the extent to which companies are collecting and using their 
personal data. This is a remark that I think many of the members 
echoed in their opening remarks. Second, existing privacy policies 
don’t work as a means of communicating privacy practices to con- 
sumers, and certainly will not work well on small screen mobile de- 
vices like smart phones. Third, consumers do care about privacy 
and they care about privacy as a value in and of itself beyond any 
tangible economic harm that may be associated with it. And finally, 
as others have pointed out, the free flow of information does help 
make tremendous benefits possible, so we need to be cautious 
about restricting information exchanges and uses. 

Recognizing many of these same issues. Chairman Rush and 
Chairman Boucher each have proposed legislation to advance the 
goal of improving privacy protection in today’s commercial market- 
place. We share this goal and we applaud Chairman Rush and 
Chairman Boucher for their leadership. 

Although the Commission has not taken a position on the legisla- 
tion, both proposals include a number of key policy objectives that 
the Commission supports. 

First, both include requirements for data security for customer 
information, a requirement the Commission has long endorsed. 
Second, the Commission supports the proposal’s data accuracy re- 
quirements, especially where the data will be used for decisions 
about a consumer’s eligibility for benefits or services. Third, both 
proposals give the FTC limited rule making authority in the pri- 
vacy area. We believe that the content, timing, and scope of privacy 
disclosures required by the legislation will benefit from broad 
stakeholder input and consumer testing which can be accomplished 
as part of an APA rulemaking proceeding. Finally, both proposals 
include innovations to simplify consumer’s ability to exercise mean- 
ingful privacy choice. 

If Congress enacts legislation in this area we urge it to consider 
some additional issues. Most importantly we think it would be use- 
ful to require short disclosures at the point of information collection 
and/or use and to give the FTC rulemaking authority so we can 
provide guidance on this requirement. 

Let me share an example of why we think short and concise no- 
tices at the right moment are important. A few months ago it was 
reported that approximately 7,500 consumers had “sold their souls” 
to an online computer game retailer. To drive home the point the 
consumers don’t read lengthy disclosures, the company provided a 
provision in its privacy policy that by placing an order with the 
company the consumer granted the company “the nontransferable 
option to claim for now and forever more your immortal soul”. The 
company even went on to provide an opt-out provision for this par- 
ticular soul selling clause, but not surprisingly very few consumers 
opted out. Now I don’t believe that these consumers really meant 
to transfer their rights of their immortal soul to an online gaming 
company, and we think this illustration drives home the need for 
short and concise notices the consumers will read and understand 
at the time of data collection and use. 

Another issue we would urge Congress to look at is whether the 
sharing of individual’s data among companies affiliated through 
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common ownership should necessarily he exempt from consent re- 
quirements, especially where a company may share data with doz- 
ens or even hundreds of affiliate companies. 

Finally we also have concerns that the safe harhor programs con- 
tained in the proposed legislation could lead to multiple consent 
mechanisms that may differ in important ways which could add to 
consumer confusion when consumers need more simplicity. 

The Commission looks forward to working with Congress to re- 
solve these issues and any others that may arise in order to accom- 
plish our shared objective of improving consumer privacy, while at 
the same time promoting innovation and beneficial flows of infor- 
mation on the Internet. Thank you very much. 

[The prepared statement of Mr. Vladeck follows:] 
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Chainnan Rush, Ranking Member Whitfield, and members of the Committee, I am 
David Vladeck, Director of the Bureau of Consumer Protection of the Federal Trade 
Commission (“FTC” or “Commission”). I appreciate the opportunity to present tlie 
Commission’s testimony on privacy.' 

Privacy has been central to the Commission’s consumer protection mission for more than 
a decade. Over the years, the Commission has employed a variety of strategies to protect 
consumer privacy, including law enforcement, regulation, outreach to consumers and businesses, 
and policy initiatives.^ In 2006, recognizing the increasing importance of privacy to consumers 
and a healthy marketplace, the FTC established the Division of Privacy and Identity Protection, 
which is devoted exclusively to privacy-related issues.^ 

Although the FTC’s commitment to consumer privacy has remained constant, its policy 
approaches have evolved over time. This testimony describes the Commission’s efforts to 
protect consumer privacy over the past two decades, including its two main policy approaches: 
(1) promoting the fair information practices of notice, choice, access, and security (the “FTC 
Fair Information Practices approach”); and (2) protecting consumers from specific and tangible 
privacy harms (the “harm-based approach”). It then discusses recent developments, including 


' This written statement represents the views of the Federal Trade Commission. My oral 
presentation and responses are my own and do not necessarily reflect tlie views of the 
Commission or of any Commissioner. 

^ Information on the FTC’s privacy initiatives generally may be found at 
http :;ywww. ftc.gov/privacv/index.html . 

’ Prior to 2006, the Commission’s Division of Financial Practices worked on privacy 
issues in addition to enforcing laws related to mortgage transactions, debt servicing, debt 
collection, fair lending, and payday lending. A different division was responsible for identity 
theft. 
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the FTC staffs Privacy Roundtables project - a major initiative to re-examine traditional 
approaches to privacy protection in light of new technologies and business models. It concludes 
by offering general comments on both Chairman Rush’s and Chaimian Boucher’s proposed 
privacy legislation. 

I. The FTC’s Efforts to Protect Consumer Privacy 

The FTC has a long track record of protecting consumer privacy. The Commission’s 
early work on privacy issues dates back to its initial implementation in 1970 of the Fair Credit 
Reporting Act (“FCRA”)/ which includes provisions to promote the accuracy of credit reporting 
information and protect the privacy of that infonnation. With the emergence of the hitemet and 
the growth of electronic commerce beginning in the mid-1990s, the FTC expanded its focus to 
include online privacy issues. Since then, both online and offline privacy issues have been at the 
forefront of the Commission’s agenda, as discussed in greater detail below. 

A. The FTC’s Fair Information Practices Approach 

Beginning in the mid- 1 990s, the FTC began addressing consumer concerns about the 
privacy of personal infonnation provided in connection with online transactions. The 
Commission developed an approach by building on earlier initiatives outlining the “Fair 
Information Practice Principles,” which embodied the important underlying concepts of 
transparency, consumer autonomy, and accountability.’ In developing its approach, the FTC 

■* ISU.S.C. §§ 16gle-i. 

’ This work included the Department of Health, Education, and Welfare’s 1973 report. 
Records, Computers, and the Rights of Citizens, available at 
http://aspe.hhs.gov/dataciicl.d973privacv7'c7.hlTn . and the Organisation for Economic 
Cooperation and Development’s 1980 Guidelines on the Protection of Privacy and Transborder 
Flows of Personal Data, available at 

h itp ://wsvw. oecd.org/ document' 1 8/0.3343.en 2649 34255 1815186 1 1 1 LOO.html . 
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reviewed a series of reports, guidelines, and model codes regarding privacy practices issued 
since the mid-1970s by government agencies in the United States, Canada, and Europe. From 
this work, the FTC identified four widely accepted principles as the basis of its own Fair 
Information Practices approach: (1) businesses should provide notice of what information they 
collect from consumers and how they use it; (2) consumers should be given choices about how 
information collected from them may be used; (3) consumers should be able to access data 
collected about them; and (4) businesses should take reasonable steps to ensure the security of 
the infonnation they collect from consumere. The Commission also identified enforcement - 
the use of a reliable mechanism to impo,se sanctions for noncompliance with the fair information 
principles - as a critical component of any self-regulatory program to ensure privacy online,^ 

To evaluate industry’s compliance with these principles, the Commission examined 
website information practices and disclosures; conducted surveys of online privacy policies, 
commented on self-regulatory efforts, and issued reports to Congress. In 2000, the Commission 
reported to Congress that, although there had been improvement in industry self-regulatoiy 
efforts to develop and post privacy policies online, approximately one-quaiter of the privacy 
policies surveyed addressed the four fair infonnation practice principles of notice, choice, 
access, and security.’ A majority of the Commission concluded that legislation requiring online 
businesses to comply with these principles, in conjunction with self-regulation, would allow the 
electronic marketplace to reach its full potential and give consumers the confidence they need to 

See Federal Trade Commission, Privacy Online: A Report to Congress (June 1998), 
available at http :/,/www. Ifc . go v./reoorts/DrivacY3-/nriv-23 . shtni . 

’ See Federal Trade Commission, Privacy Online: Fair hiformation Practices in the 
Electronic Marketplace (May 2000) at 13-14, available at 
http://www.ftc. gov.freports.'privacv2000.'privacv2000.pdf . 
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participate fully in that marketplace.* 

Although Congress did not pass the legislation recommended by the Commission, the 
Commission’s efforts during this time, particularly its surveys, reports, and workshops, were 
widely credited with raising public awareness about privacy and leading companies to post 
privacy policies for the first time.’ The Commission also encouraged self-regulatory efforts 
designed to benefit consumers, such as the development of best practices, improvements in 
privacy-enhancing technologies, and the creation of online privacy certification programs. 

The Commission also brought law enforcement actions to hold companies accountable 
for their privacy statements and practices. In Febmary 1999, for example, the Commission 
alleged that GeoCities, one of the most visited websites at the time, had misrepresented the 
purposes for which it was collecting personal information from both children and adults."' In 
2000, the Commission challenged a website’s attempts to sell personal customer infonnation, 
despite the representation in its privacy policy that such information would never be disclosed to 
a third party." These cases stressed the importance of keeping promises about the use of 


* Id. at 36-38. 

’ In 1999, Congress also passed the Gramm-Leach Bliley-Act, 15 U.S.C, §§ 6821-27, 
requiring all financial institutions to provide notice of their data practices and choice for sharing 
data with third parties 

In the Matter of GeoCities, Inc., Docket No. C-3850 (Feb. 5 1999) (consent order). 

" FTC V. Toysmart.com LLC, 00-CV-l 1341-RGS (D. Mass, filed July 10, 2000). See 
also In the Matter of Liberty Fin. Cos., Docket No. C-3891 (Aug. 12, 1999) (consent order) 
(alleging that site falsely represented that personal infonnation collected from children, 
including information about family finances, would be maintained anonymously); FTC v. 
ReverseAiiction.com, Inc., No. 00-0032 (D.D.C. Jan. 10, 2000) (consent order) (alleging that 
online auction site obtained consumer data from competitor site and then sent deceptive, 
unsolicited e-mail messages to those consumers seeking their business); FTC v. Rennert, No. 
CV-S-00-0861-JBR (D. Nev. July 24, 2000) (consent order) (alleging that defendants 
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consumer information and demonstrated the Commission’s commitment to protecting online 
privacy. 

B. The Harm-Based Approach 

In the early 2000s, the FTC de-emphasized its fair information practices approach as the 
primary means of addressing privacy issues, and shifted its focus to a “harm-based approach” for 
protecting consumer privacy. The approach was designed to target harmful uses of information 
- those presenting risks to physical security or economic injury, or causing unwarranted 
intrusions in our daily lives - rather than imposing costly notice and choice for ail uses of 
information.'^ The Commission’s privacy agenda began to focus primarily on: (1) data security 
enforcement; (2) identity theft; (3) children’s privacy; and (4) protecting consumers from spam, 
spyware, and telemarketing. 

1. Data Security Enforcement 

Maintaining and promoting data security in the private sector has been a key component 
of the FTC’s privacy agenda. Through its substantial record of enforcement actions, the FTC 
has emphasized the importance of maintaining reasonable security for consumer data, so that it 


misrepresented their security practices and how they would use consumer information); In the 
Matter of Educ. Research Ctr. of Am., Inc.; Student Marketing Group, Inc., Docket No. C-4079 
(May 6, 2003) (consent order) (alleging that personal data collected from students for 
educational purposes was sold to commercial marketers); In the Matter of The Nat 7 Research 
Ctr. for College & Univ. Admissions, Docket No. C-4071 (Jun. 28, 2003) (consent order) (same); 
In the Matter of Gateway Learning Corp., Docket No. C-4120 (Sept, 10, 2004) (consent order) 
(alleging that company rented customer information to list brokers in violation of its privacy 
policy); In the Matter of Vision I Properties, LLC, Docket No. C-4135 (Apr. 19, 2005) (consent 
order) (alleging that a service provider disclosed customer information in violation of merchant 
privacy policies). 

See, e.g., Speech of Timothy J, Muris, Protecting Consumers ’ Privacy: 2002 and 
Beyond, Cleveland, Ohio, Oct. 4, 2001, available at 
Iittp://www.ftc.gov7specche.s/muris./privispl002.slitm . 
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does not fall into the hands of identity thieves and other wrongdoers. 

The FTC enforces several laws with data security requirements. The Commission’s 
Safeguards Rule under the Gramin-Leach-Bliley Act, for example, contains data security 
requirements for financial institutions.'^ The FCRA requires consumer reporting agencies to use 
reasonable procedures to ensure that the entities to which they disclose sensitive consumer 
information have a permissible puipose for receiving that information,'’' and imposes safe 
disposal obligations on entities that maintain consumer report information."' In addition, the 
Commission enforces the FTC Act’s prohibition against unfair or deceptive acts or practices in 
cases where a business makes false or misleading claims about its data security procedures, or 
w'here its failure to employ reasonable security measures causes or is likely to cause substantial 
consumer injury.'" 

Since 2001, the Commission has used its authority under these laws to bring 28 eases 
alleging that businesses failed to protect consumers’ personal information.” The FTC’s early 


” 16 C.F.R, Part 314, implementing 15 U.S.C. § 6801(b). The Federal Deposit 
Insurance Corporation, National Credit Union Administration, Securities and Exchange 
Commission, Office of the Comptroller of the Currency, Board of Governors of the Federal 
Reserve System, Office of Thrift Supervision, Secretary of the Treasury, and state insurance 
authorities have promulgated comparable safeguards requirements for the entities they regulate. 

15 U.S.C. § 1681e, 

Id.,§ 1 681w. The FTC’s implementing rule is at 16 C.F.R. Part 682. 

'"15 U.S.C. § 45(a). See, e.g.. In the Matter of Microsoft Corp. , FTC Docket No. C-4069 
(Dec. 20, 2002) (consent order) (alleging deception); fn the Matter of BJ’s Wholesale Club, Inc., 
FTC Docket No. C-4148 (Sept. 20, 2005) (consent order) (alleging unfairness). 

” See In the Matter of Twitter, Inc., FTC File No. 092 3093 (June 24, 2010) (consent 
order approved for public comment); In the Matter of Dave & Buster 's, Inc., Docket No, C- 
4291(Jun. 8, 2010) (consent order); FTC v. LifeLock, Inc., No. 2:10-cv-00530-NVW (D. Ariz. 
final order filed Mar. 15.2010); United States v. ChoicePoint, Inc., Flo. 1:06-CV-0I98-JTC 
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enforcement actions in this area addressed deceptive privacy statements - that is, the failure of 
companies to adhere to the promises they made to consumers regarding the security of their 
personal information.'® Since 2005, the Commission has also alleged, in appropriate cases, that 
the failure to maintain reasonable security is an “unfair” practice that violates the FTC Act.''* 
These cases, against well-known companies such as Microsoft, ChoicePoint, CVS, 


(N.D. Ga. final order filed Oct, 14, 2009); In the Matter of James B. Nutter & Co., FTC Docket 
No. C-4258 (June 12, 2009) (consent order); United States v. Rental Research Sens., Inc., No. 
0:09-CV-00524 (D, Minn, final order filed Mar. 6, 2009); FTC v. Navone, No. 2:08-CV-001842 
(D. Nev. final order filed Dec. 30, 2009); United States v. ValueClick, Inc., No. 2:08-CV-0171 ! 
(C.D. Cal. final order Mar. 17, 2008); United States v. American United Mortgage, No. 1 :07- 
CV-07064 (N.D. 111. final order filed Jan. 28, 2008); In the Matter of CVS Caremark Corp., 
Docket No. C-4259 (Jun. 18, 2009) (consent order); In the Matter of Genica Corp., Docket No. 
C-4252 (Mar. 16, 2009) (consent order); In the Matter of Premier Capital Lending, Inc., FTC 
Docket No. C-4241 (Dec. 10, 2008) (consent order); In the Matter of The TJX Cos., FTC Docket 
No. C-4227 (July 29, 2008) (consent order); In the Matter of Reed Elsevier Inc., FTC Docket 
No. C-4226 (July 29, 2008) (consent order); In the Matter of Life is good, Inc., FTC Docket No. 
C-4218 (Apr. 16, 2008) (consent order); In the Matter of Goal Fin., LLC, FTC Docket No. 
C-4216 (Apr. 9, 2008) (consent order); In the Matter of Guidance Software, Inc., FTC Docket 
No. C-4187 (Mar. 30, 2007) (consent order); In the Matter of CardSystems Solutions, Inc., FTC 
Docket No. C-4168 (Sept. 5, 2006) (consent order); In the Matter of Nations Title Agency, Inc., 
FTC Docket No. C-4161 (June 19, 2006) (consent order); In the Matter of DSW, Inc., FTC 
Docket No. C-4157 (Mar. 7, 2006) (consent order); In the Matter of Superior Mortgage Corp., 
FTC Docket No. C-4153 (Dec, 14, 2005) (consent order); In the Matter of BJ’s Wholesale Club, 
Inc., FTC Docket No. C-4148 (Sept, 20, 2005) (consent order); In the Matter of Nationwide 
Mortgage Group, Inc., FTC Docket No. C-9319 (Apr, 12, 2005) (consent order); In the Matter of 
Petco Animal Supplies, Inc., FTC Docket No. C-41 33 (Mar. 4, 2005) (consent order); In the 
Matter of Sunbelt Lending Servs., Inc., FTC Docket No. C-41 29 (Jan. 3, 2005) (consent order); 

In the Matter of MTS Inc., FTC Docket No. C-41 10 (May 28, 2004) (consent order); In the 
Matter of Guess?, Inc., FTC Docket No. C-409I (July 30, 2003) (consent order); In the Matter of 
Microsoft Corp., FTC Docket No. C-4069 (Dec. 20, 2002) (consent order). 

'* See In the Matter of Guidance Software, Inc., FTC Docket No. C-4187 (Mar. 30, 

2007) (consent order); In the Matter of Petco Animal Supplies, Inc,, FTC Docket No. C-4133 
(Mar. 4, 2005) (consent order); In the Matter of Guess?, Inc. , FTC Docket No. C-409 1 (July 30, 
2003) (consent order); In the Matter of Microsoft Corp., FTC Docket No. C-4069 (Deo. 20, 

2002) (consent order). 

''* See In the Matter of BJ's Wholesale Club, Inc., File No. 042 3160 (Sept 20, 2005) 
(consent order). 
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LexisNexis, and more recently, Dave & Busters and Twitter, have involved such practices as the 
alleged failure to: (1) comply with posted privacy policies;™ (2) take even the most basic steps to 
protect against common technology threats;^' (3) dispose of data safely;™ and (4) take reasonable 
steps to guard against sharing customer data with unauthorized third parties.™ In each case, the 
Commission obtained significant relief, including requiring the companies to implement a 
comprehensive information security program and obtain regular third-party assessments of the 
effectiveness of that program.™ In some cases, the Commission also obtained substantial 
monetary penalties or relief.™' The Commission’s robust enforcement actions have sent a strong 
signal to industry about the importance of data security, while providing guidance about how to 


™ See, e.g.. In the Matter of Premier Capital Lending, Inc., FTC Docket No. C-4241 
(Dec. 1 0, 2008) (consent order); In the Matter of Life is good, Inc. , FTC Docket No. C-42 1 8 
(Apr. 16, 2008) (consent order); /n the Matter of Petco Animal Supplies, Inc., FTC Docket No. 
C-4133 (Mar. 4, 2005) (consent order); In the Matter of MTS Inc., FTC Docket No. 0-4110 
(May 28, 2004) (consent order); In the Matter of Microsoft Corp., FTC Docket No. C-4069 
(Dec. 20, 2002) (consent order). 

™ See. e.g.. In the Matter of Twitter, Inc., FTC File No. 092 3093 (June 24, 2010) 
(consent order approved for public comment); In the Matter of The TJX Cos. , FTC Docket No. 
C-4227 (July 29, 2008) (consent order); In the Matter of Reed Elsevier, Inc., FTC Docket No. C- 
4226 (July 29, 2008) (consent order). 

™ See. e.g., FTC v. Navone, No. 2:08-CV-001 842 (final order filed D. Nev. Dec. 30, 
2009); United States v. American United Mortgage, No. l:07-CV-07064 (N.D. 111. final order 
filed Jan. 28, 2008); In the Matter of CPS Caremark Corp., Docket No, C-4259 (June 18, 2009). 

™ See, e.g., United States v. Rental Research Svcs., No. 09 CV 524 (D. Minn, final order 
filed Mar. 6, 2009); United States v. ChoicePoint, Inc.,No. 1:06-CV-0198 (final order filed N.D. 
Ga. Oct. 14, 2009). 

™ In addition, beginning with the CVS case announced last year, the Commission has 
begun to challenge the reasonableness of security measures to protect employee data, in addition 
to customer data. See, e.g., In the Matter of CVS Caremark Corp., Docket No. C-4259 (Jun. 18, 
2009) (consent order). 

™ See, e.g., FTC v. Navone, No. 2:08-CV-00!842 (D. Nev. final order Dec. 29, 2009); 
United States v. ChoicePoint, Inc., No. 1:06-CV-0198 (final order filed N.D. Ga. Oct. 14, 2009). 
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accomplish this goal.“ 

2. Identity Theft 

Another important part of the Commission’s privacy agenda has been protecting 
consumers from identity theft, which victimizes millions of consumers every year. In 1998, 
Congress enacted the Identity Theft Assumption and Deterrence Act (“the Act”), which provided 
the FTC with a specific role in combating identity theft.” To fttlfill the Act’s mandate, the 
Commission created a telephone hotline and dedicated website to collect complaints and assist 
victims, through which approximately 20,000 consumers contact the FTC every week. The FTC 
also maintains and promotes a centralized database of victim complaints that serves as an 
investigative tool for over 1,700 law enforcement agencies. 

The Commission also played a lead role in the President’s Identity Theft Task Force 
(“Task Force”). The Task Force, comprised of 17 federal agencies and co-chaired by the FTC’s 
Chairman, was established by President Bush in May 2006 to develop a comprehensive national 
strategy to combat identity theft.^* In April 2007, the Task Force published its national strategy, 
recommending 3 1 initiatives to reduce the incidence and impact of identity theft.^’ The FTC, 
along with the other Task Force agencies, has been actively implementing these initiatives and 

Developments in state law have also played a major role in data security. The passage 
of state data breach notification laws beginning in 2003 required increased transparency for 
companies that had suffered data breaches and thus further enhanced the Commission’s data 
security enforcement efforts. See, e.g., Cal. Civ. Code §§ 1798,29, 1798.82-1789.84 (West 
2003). 

” ISU.S.C. § 1028 note, 

” Exec, Order No. 13,402, 71 Fed. Reg, 27,945 (May 15, 2006), 

” See The President’s Identity Theft Task Force, Combating Identity Theft: A Strategic 
Plan (2007), available at http://www.idtheft.gov7reports/StrategicPlan.Ddf . 
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submitted a final report in September 2008.™ Among other things, the Commission has trained 
victim assistance counselors, federal and state prosecutors, and law enforcement officials; 
developed and published an Identity Theft Victim Statement of Rights; and worked closely with 
the American Bar Association on a pro bono legal assistance program for identity theft victims. 

Finally, the Commission has worked to implement the identity theft protections of the 
Fair and Accurate Credit Transactions Act of 2003 (the “FACT Act”)."' Among other things, the 
FTC has acted aggressively to enforce consumers’ right under the FACT Act to receive a free 
credit report every twelve months from each of the nationwide consumer reporting agencies, so 
they can spot incipient signs of identity theft. For example, the Commission has brought action 
against a company offering a so-called “free” credit report that was actually tied to the purchase 
of a credit monitoring service.™ 

3. Children’s Privacy 

The Commission has also undertaken an aggressive agenda to protect children’s privacy. 
Since the enactment of the Children’s Online Privacy Protection Act in 1998 (“COPPA”) and its 


™ See The President’s Identity Theft Task Force Report (2008), available at 
http:/’/ww'w.idtheft.gov/rci'iorts/[DTRenort2008.Ddf . 

” Pub.L. 108-159. 

™ FTCv. Consumerinfo.com, Inc., SACV05-801AHS(MLGx) (C.D. Cal. final order 
filed Jan. 8, 2007). 

To provide further clarity to consumers, Congress recently enacted legislation requiring 
entities that advertise “free” credit reports to disclose that such reports are available pursuant to 
federal law at www.aniiualcrediti-eport.com . Pub.L, 11 1-24, coc///;erfat 15 U.S.C. 

§ I681j(g). The FTC has promulgated a rule to implement this requirement, 16 C.F.R. § 610, 
and this week issued eighteen warning letters to companies alleging failures to comply with the 
rule. 
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impiementing rule “ the FTC has brought 15 actions against website operators that collect 
information from children without first obtaining their parents’ consent. Tlirough these actions, 
the FTC has obtained more than $3.2 million in civil penaltie.s,^'* The Commission is currently 
conducting a comprehensive review of its COPPA Rule in light of changing technology, such as 
the increased use of mobile devices to access the Internet.^’ 

4. Unwarranted Intrusions 

The Commission has also acted to protect consumers from imwarranted intrusions into 
their daily lives, particularly in the areas of unwanted telemarketing calls, spam, and spyware. 
Perhaps the Commission’s most well-known privacy initiative is the Do Not Call Registry, 
w'hich has been an unqualified success. The Commission vigorously enforces the requirements 
of the Registry to ensure its ongoing effectiveness. The FTC has brought 64 actions alleging 
violations of the Do Not Call Rule. These actions have resulted in $39.9 million in civil 
penalties and $17.7 million in consumer redress or disgorgement. During the past year, the 
Commission has filed several new actions that attack the use of harassing “robocalls” - the 
automated delivery of prerecorded messages - to deliver deceptive telemarketing pitches that 
promise consumers extended auto warranties and credit card interest rate reduction services.^ 


”15 U.S.C. §§ 6501-6508; 16 C.F.R. Part 312. 

” For a list of the FTC’s COPPA cases, see 
httD://www.fic.gov7t)rivacv/privacvin.itiatives/childrens enf.hlml . 

” In spring 2010, the FTC announced it was seeking comment on a broad array of issues 
as part of its review of the COPPA Rule, See 

tittp:/7www.ftc.gov/privacY/privacvinitiatives./childrens 20l0rulereview.html . 

See, e.g., FTC v. Asia-Pacific Telecom, Inc, No. 10 CV 3168 (N.D. Ill, filed May 24, 

2010). 
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111 addition, since the enactment of the CAN-SPAM Act in 2003 ,” the Commission has 
brought dozens of law enforcement actions challenging spam, including cases involving 
deceptive spam, failure to honor opt-out requests, and failure to comply with requirements for 
adult labeling of spam messages!* For example, in June 2009, the FTC moved quickly to shut 
down a rogue Internet Sendee Provider (“ISP”) that knowingly hosted and actively participated 
in the distribution of illegal spam, child pornography, and other harmful electronic content. The 
FTC complaint alleged that the defendant actively recruited and colluded with criminals seeking 
to distribute illegal, malicious, and harmfiil electronic content.” After the Commission shut 
down this ISP, there was a temporary 30 percent drop in spam worldwide.'"’ Finally, since 2004 , 
the Commission has brought 15 spyware cases, targeting programs foisting voluminous pop-up 
ads on consumers and subjecting them to nefarious programs that track their keystrokes and 
online activities."" 

C. Ongoing Outreach and Policy Initiatives 

While the Commission’s consumer privacy models have evolved throughout the years, 
its activities in a number of areas have remained constant. In addition to enforcement, these 
include consumer and business education, research and policymaking on emerging technology 

” 15U.S.C. §§7701-7713. 

** Detailed information regarding these actions is available at 
httn://www.ltc.gov/bcp./conline/edcams/sDam,h'>i-ess.htm . 

39 Pricewert, LLC, No. 09-CV-2407 (N.D. Cal. final order issued Apr. 4, 2010). 

See Official Google Enterprise Blog, Q2 2009 Spam Trends, available at 
http://googleenterprise.blogspot.coin/1009/07/q2-2W9-soam-ttends.html . 

" Detailed information regarding each of these law enforcement actions is available at 
http://rvww.ftc.gov/bcp/edii/microsites/spvware/Iaw entbr.htm . 
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issues, and international outreach. 

1. Consumer and Business Education 
The FTC has done pioneering outreach to business and consumers, particularly in the 
area of consumer privacy and data security. The Commission’s well-known OnGuard Online 
website educates consumers about threats such as spyware, phishing, laptop security, and 
identity theft.^^ The FTC also developed a guide to help small and medium-sized businesses 
implement appropriate data security for the persona! information they collect and maintain.^’ 

The FTC has also developed resources specifically for children, parents, and teachers to 
help kids stay safe online. In response to the Broadband Data Improvement Act of 2008, the 
FTC produced the brochure Net Cetera: Chatting with Kids About Being Online to give adults 
practical tips to help children navigate the online world.'’'' In less than 10 months, the 
Commission already has distributed more than 3,8 million copies of its Net Cetera brochure to 
schools and communities nationwide. The Commission also offers specific guidance for certain 
types of Internet services, including, for example, social networking and peer-to-peer file 
sharing.'” In addition, the Commission recently launched Admongo.gov, a campaign to help 


See http://www.ongiiardoiiline.gov . Since its launch in 2005, OnGuard Online and its 
Spanish-language counterpart Alertaena Linea have attracted nearly 12 million unique visits, 

” See Protecting Personal Information: A Guide For Business, available at 
http://www.ftc.gov/iiifoseciiritv . 

See FTC Press Release, OnGuardOnline.gov Off to a Fast Start with Online Child 
Safety Campaign (Mar. 31, 2010), available at http://www.ftc.gov/opa/201 0/03/netcetera.shtni . 

See littp:/./www.onguardoiiline,gov/topics./social-networkinK-sites.aspx . 
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kids better understand the ads they see online and offline.'’'’ 

2. Research and Policymaking on Emerging Technology issues 

Over the past two decades, the Commission has hosted numerous workshops to examine 
the implications of new technologies on privacy, including forums on spam, spyware, radio- 
frequency identification (RFID), mobile marketing, contactless payment, peer-to-peer file 
sharing, and online behavioral advertising. These workshops often spur innovation and seif- 
regulatory efforts. For example, the FTC has been assessing the privacy implications of online 
behavioral advertising for several years. In February 2009, the Commission staff released a 
report that set forth several principles to guide self-regulatory efforts in this area: (!) 
transparency and consumer control; (2) reasonable security and limited retention for consumer 
data; (3) affirmative express consent for material retroactive changes to privacy policies; and (4) 
affirmative express consent for (or prohibition against) the use of sensitive data.'" This report 
was the catalyst for industry to institute a number of self-regulatory advances. While these 
efforts are still in their developmental stages, they are encouraging. We will continue to work 
with industry to improve consumer control and understanding of the evolving use of online 
behavioral advertising. 

3. International Outreach 

Another major privacy priority for the FTC has been cross-border privacy and 
international enforcement cooperation. The Commission’s efforts in this area are gaining greater 


See FTC Press Release, FTC Helps Prepare Kids for a World Where Advertising is 
Everywhere (Apr. 28, 2010), available at littp://www'.ftc.gov.''’opa/201 0/'()4/admoimoi .shtm . 

FTC Staff Report; Self-Regulatory Principles for Online Behavioral Advertising (Feb. 
2009), available at http:/ www.ftc.g:ov/os/2009/02/P085400behavadreport.pdf .. 


14 



115 


importance with the proliferation of cross-border data flows, cloud computing, and on-demand 
data processing that takes place across national borders. To protect consumers in this rapidly 
changing environment, the FTC participates in various international policy initiatives, including 
those in multilateral organizations such as the Organization for Economic Cooperation and 
Development (OECD) and the Asia-Pacific Economic Cooperation forum (APEC). 

In APEC, the FTC actively promotes an initiative to establish a self-regulatory 
framework governing the privacy of data transfers througliout the APEC region. The FTC just 
announced that it was one of the first participants in the APEC cross-border Privacy 
Enforcement Arrangement, a multilateral cooperation network for APEC privacy enforcement 
authorities. 

In a similar vein, earlier this year, the FTC, joined by a number of its international 
counterparts, launched the Global Privacy Enforcement Network, an informal initiative 
organized in cooperation with OECD, to strengthen cooperation in the enforcement of privacy 
laws. 

Finally, the Commission is using its expanded powers under the U.S. SAFE WEB Act of 
2006'*® to promote cooperation in cross-border law enforcement, including in the privacy area. 
The FTC has also brought a number of cases relating to the U.S.-EU Safe Harbor Framework, 
which enables U.S. companies to transfer personal data from Europe to tlie U.S. consistent with 
European privacy law."*’ For example, last fall, the Commission announced enforcement actions 

Pub. L. No. 109-455, 120 Stat. 3372 (2006) (codified in scattered sections 
of 15 U.S.C. and 12 U.S.C. § 3412(e)). 

® Companies self-certify to the U.S. Department of Commerce their compliance with a 
set of Safe Harbor privacy principles. If a company falsely claims to be part of this program, or 
fails to abide by its requirements, the FTC can challenge such action.s under its deception 
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alleging that seven companies falsely claimed to be part of the Framework. The orders against 
six of these companies prohibit them from misrepresenting their participation in any privacy, 
security, or other compliance program.® The seventh case is still in litigation.^' 

II. Lessons Learned 

Although the Commission plans to continue its ongoing enforcement, policy, and 
education initiatives, it recognizes that the traditional models governing consumer privacy have 
their limitations. 

The FTC Fair Information Practices model has put too much burden on consumers to 
read and understand lengthy and complicated privacy policies and then make numerous choices 
about the collection and use of their data. Indeed, privacy policies have become complicated 
legal documents that often seem designed to limit companies’ liability, rather than to inform 
consumers about their information practices. 

The harm-based model has principally focused on financial or other tangible harm rather 
than the exposure of personal information where there is no financial or measurable consequence 
from that exposure.® Yet there are situations in which consumers do not want personal 


authority. 

® See In the Matter of Directors Desk LLC, FTC Docket No. C-4281 (Jan. 12, 2010); In 
the Matter of World Innovators, Inc., FTC Docket No. C-4282 (Jan. 12, 2010); In the Matter of 
Collectify LLC, FTC Docket No. C-4272 (Nov. 9, 2009); In the Matter of ExpatEdge Partners, 
LLC, FTC Docket No. C-4269 (Nov. 9, 2009); In the Matter of Onyx Graphics, Inc., FTC 
Docket No. C-4270 (Nov. 9, 2009); In the Matter of Progressive Gaitways LLC, FTC Docket 
No. C-4271 (Nov, 9, 2009). 

See FTC v. Kavarni, Civil Action No. 09-CV-5276 (C.D. Cal. filed July 31, 2009). 

® See Speech of Timothy J. Muris, Protecting Consumers ’ Privacy: 2002 and Beyond, 
Cleveland, Ohio, October 4, 2001, available at 
http:.7\>ivvw.ftc.gov/speeches/mi]ris.''privisplOQ2.shtm. 


16 



117 


information to be shared even where there may be no risk of financial harm. For example, a 
consumer may not want information about his or her medical condition to be available to third- 
party marketers, even if receiving advertising based on that condition might not cause a financial 
harm. In addition, some have criticized the harm-based model as being inherently reactive - 
addressing harms to consumers after they occur, rather than taking preventative measures before 
the information is collected, used, or shared in ways that are contrary to consumer expectations.^^ 

In addition, there are questions about whether these models can keep pace with the rapid 
developments in such areas as online behavioral advertising, cloud computing, mobile services, 
and social networking. For example, is it realistic to expect consumers to read privacy notices 
on their mobile devices? How can consumer harm be clearly defined in an environment where 
data may be used for multiple, unanticipated purposes now or in the future? 
in. The FTC Privacy Roundtables 

To explore the privacy challenges posed by emerging technology and business practices, 
the Commission announced late last year that it would examine consumer privacy in a series of 
public roundtables.’'* Through these roundtables, held in December 2009, and January and 
March 2010, the Commission obtained input from a broad array of stakeholders on existing 
approaches, developments in the marketplace, and potential new ideas.” 

” See Daniel J. Solove, Identity Theft, Privacy, and the Architecture of Vulnerability, 54 
Hastings L.J. 1,5 (2003). 

^ See FTC Press Release, FTC to Host Public Roundtables to Address Evolving Privacy 
Issues (Sept. 15, 2009), available ai http:/Avww.ftc.gov/opa/2009/09/privacvrt.shtm . 

” Similar efforts are underway around the world. For example, the OECD is preparing 
to review its 1980 Privacy Guidelines {see 

http:,'', 'WWW. oecd.org/documeiit/39/0.3343.en 2649 34255 44946983 1 I I l.OO.litml) : the 
European Commission is undertaking a review of the 1995 Data Protection Directive {see 
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The roundtables generated significant public interest. Over 200 representatives of 
industry, consumer groups, academia, and government agencies participated in the roundtables, 
and the Commission received over 100 written comments. 

Several common themes emerged from these comments and the roundtable discussions. 
First, consumers do not understand the extent to which companies are collecting, using, 
aggregating, storing, and sharing their personal information. For example, as evidence of this 
invisible data collection and use, commenters and panelists pointed to enormous increases in 
data processing and storage capabilities; advances in online profiling and targeting; and the 
opaque business practices of data brokers, which are not understood by consumers. In addition, 
as commenters noted, consumers rarely realize that, when a company discloses that it shares 
information with affiliates, the company could have hundreds of affiliates. 

Second, commenters and panelists raised concerns about the tendency for companies 
storing data to find new uses for that data. As a result, consumers’ data may be used in ways 
that they never contemplated. 

Third, commenters and roundtable participants pointed out that, as tools to re-identify 


httpvVec.eurona.eu/iustice home/newg/consulting public/news consulting 0003 en.litm ): and 
the International Data Protection Commissioners’ Conference released a set of draft privacy 
guidelines (see 

http:/./www. Drivacvco.nfereiice2009.org/dpas spaee/Resolucioahndex-iden-idphp.DhD '). The 
FTC is closely following these international developments, recognizing that the market for 
consumer data is becoming increasingly globalized and consumer data is more easily accessed, 
processed, and transferred across national borders. 

In addition, following the FTC roundtables, the Department of Commerce also held a 
workshop and issued a Notice of Inquiry on the related subject of privacy and innovation, in 
which the FTC has submitted a comment. See In the Matter of Privacy and Innovation in the 
Information Economy, Docket No. 1 00402 1 74-0 175-01, Comments of the Federal Trade 
Commission (June 2008), available at http://www.ftc.gdv/Qs/20 1 0/06/ 1 0Q623ntiacomments.pdf . 
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supposedly anonymous information continue to evolve, the distinction between personally 
identifiable information (“PE”) and non-PH is losing its significance. Thus, information 
practices and restrictions that rely on this distinction may be losing their relevance. 

Fourth, commenters and roundtable participants noted the tremendous benefits from the 
free flow of infonnation. Consumers receive free content and services and businesses are able to 
innovate and develop new services through the acquisition, exchange and use of consumer 
infonnation. Commenters and participants noted that regulators should be cautious about 
restricting such information exchange and use, as doing so risks depriving consumers of benefits 
of free content and services. 

Fifth, commenters and roundtable participants voiced concerns about the limitations of 
the FTC Fair Information Practices model. Many argued that the model places too high a burden 
on consumers to read and understand lengthy privacy policies and then ostensibly to exercise 
meaningful choices based on them. Some participants also called for the adoption of other 
substantive data protections - including those in earlier iterations of the Fair Information 
Practice Principles - that impose obligations on companies, not consumers, to protect privacy. 
Such participants argued that consumers should not have to choose basic privacy protections, 
such as not retaining data for longer than it is needed, that should be built into everyday business 
practices. 

Sixth, many commenters called upon the Commission to support a more expansive view 
of privacy harms that goes beyond economic or tangible harms. There are some privacy harms, 
these participants argued, that pose real threats to consumers - such as exposure of information 
about health conditions or sexual orientation -- but cannot be assigned a dollar value. 

Finally, many participants highlighted industry efforts to improve transparency for 
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consumers about the collection and use of their information. At the same time, commenters 
questioned whether the tools are consistent and simple enough for consumers to embrace and use 
effectively, 

IV. The Proposed Legislation 

Chairman Rush and Chairman Boucher have each proposed legislation to advance the 
goal of improving privacy protections in the commercial marketplace. The Commission shares 
the goal of protecting consumer privacy and appreciates the opportunity to comment on the 
proposed legislation. Both legislative proposals include some key policy objectives that the 
Commission supports. For example, both proposals include requirements for reasonable data 
security for customer information, a measure which the Commission has long encouraged, as 
described above. The Commission also supports the proposals’ data accuracy requirements, 
especially where the data will be used for decisions about consumers’ eligibility for important 
benefits and services. 

Further, both proposals give the FTC limited rulemaking authority under the 
Administrative Procedures Act (APA).“ If Congress enacts privacy legislation, the Commission 
agrees that such legislation should provide APA rulemaking authority to the Commission. In 
particular, at the FTC’s privacy roundtables, many stakeholders expressed concern about the 
significant difficulties associated with providing effective privacy disclosures. The content, 
timing, and scope of privacy disclosures required by the legislation would benefit from broad 
stakeholder input and consumer testing, which can be accomplished in an APA mlernaking. 

Both proposals also include measures to simplify consumers’ ability to exercise choice 


5U.S.C. § 552 etseq. 
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about how their data is collected and used. Simplifying choice would address concerns that 
consumers bear a heavy burden in having to read and understand lengthy privacy policies, and to 
exercise meaningful choices based on those policies. One way to simplify choice is to recognize 
that consumers do not need to exercise it for certain commonly accepted business practices ~ 
those that fall within reasonable consumer expectations. For example, it is unnecessary, and 
even di.stracting, to ask a consumer to consent to sharing his or her address information with a 
shipping company for purposes of shipping a product that the consumer has requested. By 
eliminating the need to exercise choice for such practices, consumers can focus on the choices 
that really matter to them, and on uses of data that they would not expect when they engage in a 
transaction. 

To this end, the proposals exempt companies from having to secure consumers’ consent 
to share their data for “operational” or “transactional” purposes, such as fulfillment. The 
Commission supports this general approach, especially if it allows more meaningful consent for 
uses of data beyond these purposes. The challenge will be to define “operational” or 
“transactional” purposes in a way that tracks consumers’ reasonable expectations. Commission 
staff would be pleased to provide technical comments on these definitions. 

If Congress enacts legislation in this area, the Commission urges it to consider some 
additional issues that are either not addressed in one or both proposals or that we recommend be 
modified. First, although it is important that companies make information about their privacy 
practices available to consumers, the Commission believes that any disclosure should emphasize 
important information consumers need to make choices, at a time when the consumer is making 
them. Short, clear disclosures could also enable consumers to compare privacy protections 
offered by different companies more easily and thus could promote competition among 
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businesses on privacy. If legislation is enacted, the Commission believes that it is important that 
it incorporate the need for simpliited disclosures at a relevant point for consumers. FTC 
rulemaking authority could provide guidance for this requirement. 

Second, sharing of individuals’ data among companies affiliated through common 
ownership should not necessarily be exempt from consent requirements. As noted in the 
Commission’s behavioral advertising report and at the Commission’s roundtables, consumers 
often do not understand relationships between companies based on corporate control. Thus, if a 
company states that it does not share data with third parties, consumers may be suiprised if that 
company shared data with dozens, or even hundreds, of affiliates.'’ The Commission suggests 
that any privacy legislation take this issue into consideration. 

Third, the Commission has concerns about the safe harbor mechanism contained in the 
proposed legislation, under which the FTC could approve multiple industry-led “choice 
programs.” One of the key themes that emerged from the privacy roundtables was the need for 
simplicity in the exercise of privacy choices. Creating multiple consent mechanisms that may 
differ in important ways risks adding to consumer confusion. 

The Commission looks forward to working with Congress to address these issues and 
others to accomplish our shared objective of improving consumer privacy, while supporting 
beneficial uses of information and technological innovation. 

V. Conclusion 

The Commission is grateful for the opportunity to provide an overview of its activities in 
the privacy arena and to present these general comments on the legislative proposals. We look 
forward to continuing this important dialogue with Congress and this Subcommittee. 

See University of California at Berkeley, School of Information, KnowPrivacy, June 
2009, at 28, available at httn://www.kiiowprivacv.org/reporriKnowPrivacv Final Report.pdf . 
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Mr. Rush. The Chair now recognizes Ms. Harris for 5 minutes. 

TESTIMONY OF LESLIE HARRIS 

Ms. Harris. Chairman Rush, Ranking Member Whitfield, mem- 
bers of the Subcommittee, on behalf of CDT I thank you for the op- 
portunity to testify today. Chairman Rush, you. Chairman Boucher, 
Representative Stearns have shown great leadership in putting the 
issue of consumer privacy legislation back on the Congressional 
agenda. 

At a time when more and more personal information is collected, 
analyzed and sold, an astonishing 88 percent of Americans are con- 
cerned about their online privacy. A consumer privacy law is long 
overdue. Drafting a privacy law that can stand the test of time re- 
quires a careful balancing of interest. The law must provide con- 
sumers rights, it must provide meaningful obligations for compa- 
nies, and at the same time it has to be flexible and high level 
enough to respond to the rapid changes in technology and changing 
business models. It needs to give companies certainty while at the 
same time encouraging privacy, innovation, and accountable prac- 
tices, and of course, it needs strong enforcement. CTD believes the 
bills before the Subcommittee today include the essential building 
blocks for a privacy law that meets this test. Chairman Boucher’s 
draft, the critical first steps to that end, we believe the Best Prac- 
tices Act builds on that draft to significantly advance the discus- 
sion. 

Let me just mention a few key points. Fair Information Practices, 
commonly known as FIPs, must be the foundation of any consumer 
privacy law. The Boucher draft provides the basic obligations in no- 
tice, and choice, and security, but as Mr. Vladeck said, that places 
most of the burden on the consumer to figure out notices. Best 
Practices goes further to a full set of substantive Fair Information 
Practices that place obligations on companies for things like speci- 
fying purposes, limiting data collection to those purposes, mini- 
mizing how long one retains data, paying attention to data quality, 
and integrity. And we think that in this complex environment all 
of those obligations are critical. 

With respect to cope — scope, excuse me, CDT does support the 
application of a single baseline set of rules to be online and offline 
environment. We do support a robust definition of covered informa- 
tion and heightened protection for sensitive information, and we 
strongly support the special rules for covered entities, right now 
mainly ISPs, that collect all or substantially all of an individual’s 
data stream. We are pleased with the innovative provision on ac- 
countability in Best Practices, which requires companies to conduct 
PIAs, Privacy Impact Assessments, and periodic reviews of privacy 
practices. American companies including my colleagues from Intel, 
HP, and Microsoft have been the global leaders in developing an 
accountable privacy culture within companies and we think this 
provision will broaden the culture of responsibility for all covered 
entities. 

We also strongly support the inclusion of a safe harbor provision. 
Safe harbors, when they are backed up by rigorous internal compli- 
ance and some FTC supervision, can take account of differences be- 
tween industries and create certainty for companies. It can encour- 
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age privacy innovation and reward the adoption of accountable 
practices. 

Finally, strong enforcement must back up privacy rules, and we 
endorse the dual enforcement regime at the FTC and with the 
State Attorneys General. And we also applaud the inclusion of a 
strong private right of action in the Best Practices bill. 

Mr. Chairman, thank you for the opportunity to testify and hold- 
ing this important hearing. We intend to submit a lengthy side by 
side of the bills and our recommendations for moving forward, and 
we look forward to working with you to enact historic privacy legis- 
lation that consumers are strongly demanding and that we believe 
businesses need to compete in the global economy. 

[The prepared statement of Ms. Harris follows:] 
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Before the House Committee on Energy and Commerce. 

Subcommittee on Commerce. Trade, and Consumer Protection 

THE BEST PRACTICES ACT OF 2010 AND OTHER FEDERAL PRIVACY 
LEGISUTION 

July 22, 2010 

Chairman Rush, Ranking Member Whitfield, and members of the Subcommittee: 

On behalf of the Center for Democracy and Technology (CDT),’ I thank you for 
the opportunity to testify today. Chairmen Rush and Boucher have shown great 
leadership in putting the issue of consumer privacy legislation back on the 
Congressional agenda. In a complex global economy, CDT believes a 
comprehensive set of rules for the collection and use of consumer data is long 
overdue. 

The bills that are being discussed today provide the essential building blocks for 
a modern and flexible consumer privacy law based on established fair 
Information practices that safeguard consumer privacy and encourage economic 
growth. Chairman Boucher's draft was a promising and important step on the 
road to omnibus legislation. Chairman Rush's BEST PRACTICES bill builds on 
that draft to significantly advance the discussion. 

In my remarks today, I will comment on some of the most important building 
blocks drawn from these bills and offer a few suggestions for Improvement. In 
the next week, CDT will submit a side-by-side analysis of the two bills with 
additional recommendations to reconcile the two into a final bill that I ask be 
included in the record. 

t. The Need for Baseline Comprehensive Privacy Legislation 

Privacy is an essential building block of trust in the digital age. But as the 
hearing record of both the Subcommittee on Commerce, T rade, and Consumer 
Protection and the Subcommittee on Communications, Technology, and the 


’ CDT is a non-profit public interest organization dedicated to preserving and promoting privacy, 
civil liberties, and other democratic values on the internet. CDT is widely recognized as a leader in the 
policy debate on consumer privacy, and we regularly testify before Congress on legislation and 
investigations touching on a wide range privacy issues. 


1634 1 Street, NW 
Suite noo 
Washington, DC 20006 

P -M-202-637-9800 
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internet have documented, technology and market forces have created 
fundamental challenges to our assumptions about privacy. Massive increases in 
data storage and processing power have enabled diverse new business models 
predicated on the collection, analysis and retention of richly detailed data about 
consumers and their online — and offline — activities. While these new services 
and applications are often of great value to consumers, they also present new 
risks to consumer privacy. Americans turn to search engines to answer sensitive 
questions about their health. They use smart phone applications to pinpoint their 
location and obtain directions to a lawyer’s or therapist’s office. They shop, 
leaving digital traces of the book stores they browse, credit card numbers, and 
home and email addresses with “salesclerks” they never meet. 

While few consumers fully grasp the extent of this large and growing data trade, 
both the hearing record and numerous independent studies show that practices 
such as deep packet inspection, online behavioral advertising, and the merger of 
online and offline consumer data into profiles undermine consumer trust, the 
fundamental building block of Internet use.^ Privacy worries continue to inhibit 
some consumers from engaging in online shopping,^ and are a top reason 
consumers decline to adopt location-based services.'* A poll conducted by Zogby 
International in June 2010 found that 88% of Americans are concerned about the 
security and privacy of their personal information on the internet.^ 

Not only do the collection, sharing, and use of consumer data often clash with 
consumers’ reasonable expectations of privacy, these activities are increasingly 


^ See e.g., Scott Cleland, Americans Want Online Privacy - Per New Zogby Poll. Publius’ Forum, June 9, 
2010, http://www,pubi!usforum.com^010/06/19/americans-want-on!ine-privacy-per-new'Zogby-poil; Joseph 
Turrow, Jennifer King, Chris Jay Hoofnagle, Amy Bleakley & Michael Hennessey, Contrary to What 
Marketers Say, Americans Reject Tailored Advertising and Three Activities that Enable It (Sept. 2009), 
http://graphics8.nytimes.com/packages/pdf^usiness/20090929*Tailored_ Advertising.pdf. See also Alan F, 
Westin, Majority Uncomfortable with Websites Customizing Content Based Visitors Personal Profiles: Level 
of Comfort Increases when Privacy Safeguards Introduced. HarrisInteractive. April 1 0, 2008, 
http://www.harrisinteractive.comA/ault/Harris-lnteractive-Potl-Research-Majority-Uncomtortabte-with- 
Websites-Customizing-C'2008-04.pdf (in which majority of respondents said they were not comfortable with 
online companies using their browsing behavior to tailor ads and content to their interests even when they 
were told that such advertising supports free services); John B. Horrigan. Use of Cloud Computing Services. 
Pew Internet & American Life Project, September 2, 2008, 

http;//www,pewintemet.org/-'/media//Files/Reports/2008/PIP_Cloud,Memo.pdt,pdf (showing that 68% of 
users of cloud computing services say they would be very concerned if companies that provided these 
services analyzed their information and then displayed ads to them based on their actions). 

® See John B. Horrigan. Online Shopping. Pew Internet & American Life Project, February 1 3, 2008, 
hllp://www,pewinternet.org/~/media//Fiies^eports^08/PIP_Oniine%20Shopping,pdf,pdf, 

* Janice Y. Tsai, Patrick Gage Kelley, Lorrie Faith Cranor. & Norman Sedeh, Location-Sharing Technologies: 
Privacy Risks and Controls. CyLab Usable Privacy & Security Laboratory 18 (2010). 
http://cups.cs.cmu.edu/LBSprjvacy/fites/TsaiKelieyCranorSadeh_2009.pdf- 

® This poll also found that 80% of Americans are concerned about companies recording their online activities 
and using this data to advertise and turn a profit. See Scott Cleland. Americans Want Online Privacy - Per 
New Zogby Poll. Publius' Fc«um, June 9. 2010, htlpJ/www-pubtiusforum-com/2010AD6/19/americans-want- 
online-privacy-per-new-zogby-poll. 
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outside of consumers’ control. Online, even very savvy consumers are being 
thwarted in their efforts to take technolc^lcal steps to protect their privacy and are 
seeing the privacy decisions ttiey make directly overridden.® 

The lack of consumer trust in the Internet also threatens to undermine the 
American economy. As the FCC wrote In the National Broadband Plan, a 
networked, "high-performance America" will require a policy framework that 
ensures the protection of consumers' privacy: 

As aspects of individuals’ lives become more “digitized” and 
accessible through or gleaned from broadband use, the disclosure 
of previously private, personal information has made many 
Americans wary of the medium, innovation will suffer if a lack of 
trust exists between users and the entities with which they interact 
over the Internet. Policies therefore must reflect consumers’ 
desire to protect sensitive data and to control dissemination and 
use of what has become essentially their “digital identity.” 

Ensuring customer control of personal data and digital profiles can 
help address privacy concerns and foster innovation.^ 

The Department of Commerce — in a recent Notice of inquiry,® and the Federal 
Trade Commission — in a recent series of roundtables,® have both emphasized 
that privacy protections provide a foundation for e-commerce and the full 
realization of the potential benefits of the networked world. Yet the United States 
still has no comprehensive law that spells out consumers’ privacy rights in the 
commercial marketplace. Instead, a confusing patchwork of distinct standards 
has developed over the years, with highly uneven results and many gaps in 
coverage. For example, while there is a strong privacy law for cable viewing and 
video records, the collection and use of purchasing data, search data, and 
location data held by smart phone applications are subject only to the FTC’s 
general Section 5 authority. 


® Consumers who use their browser controls to block or delete traditional tracking cookies may have their 
choices overridden by advertising networks that simply use a new technology, such as Flash cookies or 
browser fingerprinting to track their online behavior. See Ashkan Sottani, Shannon Canty, Quentin Mayo, 
Lauren Thomas & Chris Jay Hoofnagle, Flash Cookies and Privacy, Social Science Research Network, 
August 10, 2009; Peter Eckersley. How Unique is Your Web Browser?. Electronic Frontier Foundation, 
https://panopticlick.ef{.org/t)rowser-uniqueness.pdf; Wendy Davis. ClearSight Launches Targeting Platform 
Tying IP Address to Offline Data, MediaPostNews, June 28. 201 0, 
hltp;//www,mediapost.com/publications/?fa=Afticies.showArticle&art..aid=l 31044, 

^ Federal Communciations Commission, Connecting America; The National. Broadband Plan 7-1 2, 52-57, 
http ://downioad, broadband, gov^lan/nalional-broadband-plan.pdf, 

® Information Privacy and Innovation in the Internet Economy, 75 Fed, Reg. 2l 226 (April 23, 201 0). 

® Exploring Privacy: A Roundtable Series, Federal Trade Commission (2009-2010). 
http;//www.ftC-gov/bcp/woii4shops/privacyroundtables- 
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For many companies, the growth of cloud computing is also bringing new 
urgency to the call for privacy legislation. As American companies continue to 
innovate and expand their markets overseas, they are finding that America’s 
weak privacy framework is bad for business. Without adequate privacy 
protections in place, individuals, companies, and governments in other countries 
do not feel comfortable — or In many cases are legally restricted from •— taking 
advantage of U.S. -based cloud computing services.'® With our advanced 
technology and infrastructure, U.S. companies and the U.S. economy are poised 
to lead adoption of this hugely important new generation of cloud-based services. 
But to do so, Congress must move quickly to put a robust privacy framework in 
place. 

il. Scope 

CDT strongly supports the enactment of a uniform set of baseline rules for 
personal information collected both online and off-line. Both the Boucher draft 
and the Rush BEST PRACTICES bill take this comprehensive approach. Modern 
data flows often involve the collection and use of data derived and combined 
from both online and offline sources, and the rights of consumers and obligations 
of companies with respect to consumer data should apply to both as well. CDT 
also supports both bills’ robust definitions of covered information, which go 
beyond traditional identifiers to include unique pseudonyms and persistent 
identifiers such as internet protocol (IP) addresses, and other information that 
could be reasonably be associated with an individual. The BEST PRACTICES 
bill currently empowers the FTC to update the definition of “sensitive information” 
in Section 2{8)(B). We agree with that approach and urge that the FTC also be 
empowered to adjust the definition of “covered information” as well to respond to 
technological and marketplace evolution. 

CDT appreciates the heightened protections in both bills for sensitive information, 
including precise location information. In our comments on Chairman Boucher’s 
draft bill, we argued for some expansion of the definition of “sensitive 
information," especially health information, and we think the new definitions in the 
BEST PRACTICES bill are close to the mark. 

CDT is concerned, however, with the potential breadth of the affiliate exception in 
Section 2{1 1) of Chairman Boucher’s draft bill and strongly urges that the sharing 


Article 25 of the EU Data Protection Directive states that the personal information of EU citizens may not 
be transmitted to nations outside of the EU unless those countries are deemed to have “adequate" data 
protection laws. The Article 29 Working Party does not consider U.S. law “adequate" (in part because the 
U.S. has no comprehensive data protection law), and thus in general personal information about EU data 
subjects may not be transferred to the U.S. for storage or other processing. While there are several 
compliance mechanisms, such as the U.S.*EU "Safe Harbor” agreement, that allow U.S. companies to 
process personal information from the EU. each comes with its own compliance challenges. For an in-depth 
discussion of these compliance challenges, see Commenfs of the Center for Democracy and Technology on 
Information Privacy and Innovation in the Internet Economy, CDT (201 0), 
http://www.cdt.org/files/pdfs^100613_doc_piivacy_noi.pdf. 
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of consumer informatbn among affiliates for advertising, marketing, and other 
non-operationai purposes be limited to entities under common branding with the 
covered entity — entities that a consumer would reasonably understand to be 
under common control. Otherwise this exception could be used to swallow the 
rule. We generally support the BEST PRACTICES bill's referral of this issue to 
the FTC for more precise definition. 

Finally, CDT is pleased to see that both bills have specific rules for covered 
entities that collect “all or substantially all” or certain categories of a consumer’s 
internet activity. CDT has long been concerned about companies such as 
internet service providers who have the ability to monitor all of a consumers’ 
online activity through deep packet inspection for advertising or other purposes.^^ 
We agree that this particularly invasive level of monitoring merits special rules, 
and should only be done on an opt-in, affirmative consent basis. However, we 
recognize that the term “all or substantially all” may not give companies sufficient 
clarity as to which practices are covered, nor does it prohibit narrow 
interpretations that would render this exception meaningless. CDT recommends 
that the scope of this definition be specifically referred to the FTC for further 
clarification. 

ill. Fair information Practices 

As both bills recognize, Fair Information Practices (FIPs)’^ must be the 
foundation of any comprehensive privacy framework. FIPs have been embodied 
to varying degrees in the Privacy Act, Fair Credit Reporting Act, and other 
sectoral federal privacy laws that govern commercial uses of information online 
and offline. While some have discussed moving away from FIPs in the past, new 
sets of protections created always revolve around the same basic eight ideas just 
using new terminology. The most recent government formulation of the FIPs 
offers a robust set of modernized principles that should serve as the foundation 
for any discussion of consumer privacy legislation. These principles, as 
described by the Department of Homeland Security in 2008, include:^^ 


’ ’ See What Your Broadband Provider Knows About Your Web Use: Deep Packet Inspection and 
Communications Laws and Policies: Hearing Before the Subcomm. on Telecomm, and the Internet of the H. 
Comm, on Energy arjd Commerce, ll0th Cong,, 1st Sess. (2008) (statement of Aiissa Cooper, Chief 
Computer Scientist, Center for Democracy & Technology): The Privacy Implications of Deep Packet 
Inspection: Hearing Before the Subcomm. on Commc'ns, Tech, and the Internet of the H. Comm, on Energy 
and Commerce, 1 1 1th Cong.. 1st Sess. (2009) (statement of Leslie Harris, President and Chief Executive 
Officer, Center for Democracy & Technology). 

The first set of FIPs was released in 1973 by the Health. Education, and Welfare Department. Since that 
time, various versions of the FIPs have been used by federal agencies internaliy and externally; each 
agency adopts and abides by its own set of Fair Information Principles, and these principles are reflected to 
some extent in the various U.S. sectoral privacy laws. FIPs additionally appear, with some variation, in 
many international frameworks, including the OECD guidelines of 1 980, the Council of Europe data privacy 
convention, and the EU Data Protection Directive. 

U.S. Department of Homeland Security. Privacy Policy Guidance Memorandum, The Fair Information 
Practice Principles: Framework for Privacy Policy at the Department of Homeland Security (December 
2008), http://www,dhs,gov/xiibrary/assets/privacy/privacy_policyguide_2008-01.pdf. 
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• T ransparency. Entities should be transparent and provide 
notice to the individual regarding their collection, use, 
dissemination, and maintenance of information. 

• Purpose Specification. Entities should specifically articulate 
the purpose or purposes for which personal information is 
intended to be used. 

• Use Limitation. Personal information should be used solely 
for the purpose(s) specified in the notice. Sharing of personal 
information should be for a purpose compatible with the 
purpose for which it was collected. 

• Data Minimization. Only data directly relevant and necessary 
to accomplish a specified purpose should be collected, and 
data should only be retained for as long as is necessary to 
fulfill a specified purpose. 

• Data Quality and Integrity. Entities should, to the extent 
practicable, ensure that data is accurate, relevant, timely, and 
complete. 

• individual Participation. Entities should involve the individual 
in the process of using personal information and, to the extent 
practicable, seek individual consent for the collection, use, 
dissemination, and maintenance of this information. Entities 
should also provide mechanisms for appropriate access, 
correction, and redress regarding their use of personal 
information. 

• Security. Entities should protect personal information through 
appropriate security safeguards against risks such as loss, 
unauthorized access or use, destruction, modification, or 
unintended or inappropriate disclosure. 

• Accountability and Auditing. Entities should be accountable 
for complying with these principles, providing training to all 
employees and contractors who use persona! information, and 
auditing the actual use of personal information to demonstrate 
compliance with the principles and all applicable privacy 
protection requirements. 

While both bills make significant headway toward the integration of the Fair 
Information Practice principles into U.S. privacy law, the BEST PRACTICES bill 
intelligently incorporates much of the feedback from Chairman Boucher's draft bill 
and puts forward strong FlPs-based privacy protections that go beyond notice 
and consent to a full set of substantive privacy protections. 

Transparency 

Both Section 3(a)(2)(B) of Chairman Boucher’s draft and Section 101 of the 
BEST PRACTICES bill require that covered entities entities make available 
detailed information about the collection, storage, and use of covered 
information. While the required information is important, privacy policies are 
notoriously difficult for consumers to understand, and striking the right balance 
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between readability and comprehensiveness has proven elusive. Given this 
challenge, we recommend that rather than mandating such detailed specific 
elements of notice, the FTC should be empowered to institute a rulemaking on 
the issue. Given the wide and ever-changing variety of mediums through which 
people communicate and share information, including Increasingly mobile 
devices, we strongly support the approach of Section 1 02(b) of the BEST 
PRACTICES bill to delegate to the FTC to determine how this notice should be 
presented to consumers. We also support that provision's explicit direction to the 
FTC to develop model short form notices that companies can adapt to make 
notice and consent more meaningful to consumers. 

Purpose Specification 

CDT is pleased that both bills have strong language requiring that companies 
clearly specify the purposes for which they collect and use consumer intormation. 
Sections 101(3), 101(4) and 102(a) of Chairman Rush’s bill require that covered 
entities disclose the specific purposes for which consumer data is being collected 
in a “concise, meaningful, timely, prominent, and easy-to-understand” fashion. 
Similarly, Section 3(a)(2)(B){iv) of Chairman Boucher’s bill requires notice of the 
specific purposes for which covered entities collect and use covered information. 

Use Limitation 

Neither bill explicitly states that a covered entity can only collect or use covered 
information for the purposes specified to the consumer. However, by mandating 
that covered entities affirmatively specify the purposes for which they collect or 
use personal information, we believe use limitation is implicitly incorporated into 
both bills by the sections cited above under “Purpose Specification,” 

CDT generally supports the provisions in both bills preventing companies from 
revising their privacy policies retroactively to apply to previously collected 
information. These provisions are consistent with the manner in which the FTC 
has applied its authority under Section 5 to such “material changes,”'’' but it is 
certainly preferable to have the principle spelled out explicitly in a privacy statute. 
We also endorse the provision in Section 105 in the BEST PRACTICES bill that 
requires covered entities to post new privacy policies for thirty days before they 
take effect so that consumers have ample opportunity to notice and assess the 
changes.’® 


Consent Decree, In re Gateway Learning Corp., FTC No, C-4120 fJuty 7, 2004), 
http://www.ftc,gov/os/casetist/0423047/0423047.shtm. 

While CDT does not expect that ordinary consumers will be checking the privacy policies of aii the 
websites they interact with on a monthly basis, privacy advocates do pay attention. As one telling example, 
last month, Appie made a change to its privacy policy regarding location tracking and behavioral targeting. 
Within a matter of days, bloggers and other tech writers immediately publicized the changes, to the extent 
that Apple eventually received a letter of inquiry from Congressmen Markey and Barton about the new 
policies. 


www,cdt.org 



Data Minimization 


CDT supports the language contained in Section 303 of the BEST PRACTICES 
bill that sets forth appropriate and well-considered high level requirements for 
data minimization. Data minimization must be an obligation of all companies that 
collect covered information, not just for those companies that take advantage of 
the individually managed profile exception, as is currently the case with Chairman 
Boucher’s draft bill. While we agree with Chairman Boucher that companies 
should not retain consumer data for longer than needed to fulfill the purpose for 
which it was collected, we are not comfortable setting a specific time limit for data 
retention in law as in Section 3(6)(2) of the draft bill. CDT believes that a 
consumer privacy law should avoid such highly prescriptive mandates, which 
may inadvertently freeze today's practices into law and discourage future 
innovation. Having said that, we also believe that Section 303 of the BEST 
PRACTICES bill would be improved if it specifically directed the FTC to issue 
regulations implementing this section. Given that the current framework has 
utterly failed to require or even encourage companies to adopt data minimization 
procedures, we believe that a direct provision requiring FTC implementation 
regulations is appropriate. 

Data Quality and Integrity 

CDT likes the broad but flexible language of both bills requiring that covered 
entities establish reasonable procedures to assure the accuracy of the 
Information they collect about consumers. The only material difference between 
Section 201 of the BEST PRACTICES bill and Section 4(a) of Chairman 
Boucher’s draft bill is that the former requires the FTC to issue regulations to 
implement and interpret this section, while the latter merely permits such 
regulation (through the general rulemaking powers in implementing the bill 
granted in Section 8(3)). Both approaches have merit. However, we believe that 
greater direction to covered entities would be useful to set flexible but meaningful 
baseline standards. We believe a directive to the FTC to adopt implementing 
regulations is appropriate. 

Individual Participation 

in general, CDT approves of the opt-out/opt-in choice framework of both bills: 
covered entities must offer a persistent opt-out for first-party data collection and 
use, and must get opt-in affirmative consent for the collection and use of 
sensitive information. For the sharing of covered information with third parties, as 
a default, covered entities must get opt-in consent, although both bills offer safe 
harbor provisions that allow companies to only offer an opt-out if they meet 
certain conditions (see infra Section IV. "Safe Harbor”). Obviously, “notice and 
choice” alone has proven insufficient to protect consumers, as that model places 
the entire burden for privacy protection on consumers to navigate an increasingly 
complex data environment. That is why a modern consumer privacy framework 
must incorporate all of the other FIPs in order to meet the privacy challenges 
posed by the vast array of 21st-century technology and business practices. 



The BEST PRACTICES bill includes very detailed provisions for granting 
consumers access and rights of correction for covered information. While we 
believe these provisions to be carefully considered, we are hesitant to 
recommend embedding such detailed provisions into law. Instead, we suggest 
that the Subcommittee consider referring some or all of this section to the 
Federal Trade Commission for implementing regulations. To the extent the 
BEST PRACTICES bill exempts safe harbor participants from certain access 
obligations (and the Boucher draft bill requires that only safe harbor participants 
grant consumers access), we recommend instead that reasonable access to 
stored covered information be treated as a universal obligation for all companies 
who collect and store covered information about consumers (see infra Section IV, 
“Safe Harbor,”). 

Security 

CDT endorses the standards set forth by Section 301 of the BEST PRACTICES 
bill and Section 4(b) ot Chairman Boucher’s bill that require covered entities to 
enact reasonable safeguards to protect the security of covered information. 
Companies should be held to an objective standard while having the freedom 
(and indeed, the responsibility) to innovate creatively to best protect consumers’ 
data. If the legislation does refer the question of security to the FTC for 
implementing regulations, it should also include the language ot Section 
602(c)(3) of the BEST PRACTICES bill, which prohibits the FTC from specifically 
prescribing particular technologies or products in regulations for security or other 
components of the bill. 

Accountabiiity and Auditing 

Finally, we strongly applaud the inclusion in Section 302 of the BEST 
PRACTICES bill of a requirement for companies to conduct Privacy Impact 
Assessments before collecting and using the data of large numbers of 
consumers, and to conduct periodic reviews of its privacy practices, American 
companies have played a leadership role in identifying and implementing 
accountable practices that safeguard privacy. In the absence of baseline privacy 
law, many companies have moved ahead with the appointment of privacy officers 
to guide internal privacy decision-making and to engage in privacy risk 
assessment and privacy by design.’® And just last week the European Union's 
Article 29 Working Party released an opinion that was devoted entirely to an 
exploration of promising accountability frameworks and that recommended 
adoption of new accountability mechanisms by companies that handle consumer 
data.’' As we noted in our comments on Chairman Boucher's draft, the inclusion 


For more information on how accountability measures can be incorporated into the product development 
cycle, see Matty Abrams. Ann Cavoukian, and Scott Taylor, Privacy by Design: Essential for Organizational 
Accountability and Strong Business Practices (Nov. 2007); http://www,ipc.on.ca/images/Resources/pbci- 
accountability_HP„CIPL,ptif. 

” Article 29 Working Party. “Opinion 3/2010 on the principle of accountability,'" 00062/10/EN WP 173 (July 
2010), http://www,huntonfiies.comAiies/webupioad/PrivacyLaw_Accountabilily^,WP29,pdf. 
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of accountability provisions in the iegislatton, is a way to encourage a culture of 
responsibility and accountability within covered entities.’® Doing so will also 
support the development of a global standard on accountability. 

IV. The Safe Harbor Framework 

CDT strongly supports the Inclusion of a safe harbor provision in the BEST 
PRACTICES Act CDT has long supported the use of a flexible safe harbor 
framework as the most effective tool to implement the Fair Information Practice 
principles over a wide range of industries that collect and use personal 
information.’® Given the necessary disparity in practices among varying groups 
such as behavioral advertisers, data brokers, small offline businesses, and 
multinational online retailers, a one-size-fits-al! approach that narrowly prescribes 
all data practices is likely to unfairly favor certain industries while stifling 
innovation and development in others. A carefully crafted safe harbor program 
— backed up by a rigorous internal compliance regime — that gives industries 
and industry segments flexibility to develop tailored privacy solutions that are 
consistent will the law, is the best way to accommodate differences between 
industries, create certainty for companies (because following approved practices 
would be deemed compliance with the privacy statute), encourage privacy 
innovation over time, and reward the adoption of accountable practices.^® 

Finding the right balance between industry self-regulation, encouraging new 
technologies and business practices that protect privacy, and government 
oversight is obviously the key challenge in defining the parameters of a 
reasonable safe harbor. In designing a safe harbor, it is important to strike a 
balance between strong incentives to participate in a safe harbor with meaningful 
regulatory oversight. We believe that the BEST PRACTiCES bill generally meets 
that test, We disagree, however with the approach of the BEST PRACTICES bill 
to the extent that it grants exemption from access requirements to covered 
entities which participate in an approved safe harbor (see supra, Section IV 
(“Individual Participation")). A safe harbor should not free participants from 
engaging in any particular Fair Information Practice. Rather, it should simply free 
them to develop alternative means to meet the requirement. 


Comments of the Center for Democracy and Technology on the Staff Discussion Draft of Consumer 
Privacy Legislation, CDT (2010), available at http://www.cdt.org/files/pclfs/20l00604_ boucher_bill,pdf. 

As noted by Ira Rubinstein in his comments to the Boucher draft bill, when Congress last considered 
online privacy legislation, several bills included provisions for a comprehensive self-regulatory safe harbor 
modeled on COPRA, including Rep. Markey's Electronic Privacy Bill of Rights Act of 1999 (H.R.3321, 106th 
Cong, § 4 (1999)); Sens. Burns and Wyden's Online Privacy Protection Act of 1999 (S. 809, 106th Cong, § 3 
(1999)); Rep. Stearns’ Consumer Privacy Protection Act of ^02 (H R. 4678, 107th Cong, §106 (2002)); and 
Sen. Hoflings' Online Personal Privacy Act (S. 2201, 107th Cong, § 203 (2002)), 

See also Letter to Chairman Rick Boucher from Professor Ira Rubinstein, June 1 , 2010. 
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V. Enforcement 

Baseline privacy legislation needs strong enforcement measures to give teeth to 
FlPs-based privacy protections, and the FTC does not need to go it alone. State 
attorney generals have brought a number of important online consumer 
protection oases in recent years, and they have a right and obligation to protect 
their citizens’ interests. Therefore GOT supports the approach in both bills to 
give enforcement to both the Federal Trade Commission and state Attorneys 
General. We also support the statutory penalty provision in Section 603 of the 
BEST PRACTICES bill, though we believe that these penalties should be 
available to the Federal Trade Commission as well as the states. As we have 
testified previously, we believe the FTC should be empowered to sue for 
statutory penalties for all Section 5 violations and already operates at a 
disadvantage vis-a-vis state attorneys general;^’ there is no need to create a 
parallel FTC disadvantage for violations of privacy legislation. 

CDT has long supported the inclusion of a strong private right of action in any 
privacy legislation. We are pleased Chairman Rush has included a private right 
of action in the BEST PRACTICES bill, but we think it could be strengthened by 
providing for liquidated damages instead of requiring that plaintiffs prove actual 
damages, and by extending the private right of action to all the Fair Information 
Practice principles, not just notice and choice. 

However, CDT does not object to compliant participants in safe harbor programs 
from being exempted from the private right of action. Companies need to have 
some degree of assurance that meeting the standards approved by the FTC will 
Insulate them from legal attack. If companies are in fact meeting those goals, 
they should not be subject to any legal action — either from government 
enforcers or private litigants. 

VI. Preemption 

CDT believes that preemption of state law in federal privacy law should be 
narrowly tailored to reach only those state laws that expressly cover the same set 
of covered entities and same set of requirements. Even then, CDT would only 
supports preemption if the federal law provides as much protection as the best 
state laws. CDT has previously objected to the overly broad preemption 
language contained in Chairman Boucher’s draft bill, which arguably provides for 
sweeping field preemption of all state privacy laws. We are gratified that the 
preemption language in the BEST PRACTICES bill aligns closely with our 
suggested language, which we think is narrowly tailored to reach only those state 
laws that expressly cover the same set of covered entities, while allowing states 
to specify additional protections on sensitive areas such as health and financial 
information. 


Ari Schwartz. Testimony of Ari Schwartz before the Senate Committee on Commerce, Science, and 
Transportation Subcommittee on Interstate, Trade, and Tourism, “Reauthorization of the Federal Trade 
Commission." September 12, 2007, www.cdt.org/privacy/20070912schwartz-testimony.pdf. 
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VII. Conclusion 

CDT would like to thank Chairntan Rush for the introduction of the BEST 
PRACTICES Act and for holding this Important hearing. Today, we have taken 
an important step forward toward enactment of the baseline privacy legislation 
that consumers strongly support and that businesses increasingly need to 
compete in the global economy. We look forward to working closely with the 
Committee on this legislation. Thank you again for the opportunity to testify. 


For more information, contact Leslie Harris, !harris@cdLoxg, or Justin Brookman, 
ju stin@cdt.oro at (202) 637-9800. 
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Mr. Rush. The Chair recognizes Mr. Hoffman for 5 minutes. 

TESTIMONY OF DAVID HOFFMAN 

Mr. Hoffman. Mr. Chairman, Ranking Member Whitfield, and 
members of the Subcommittee, I am David Hoffman, Director of 
Security Policy and Global Privacy Officer at Intel Corporation, and 
I appreciate the opportunity to testify before you today. 

Intel supports the Best Practices Act of 2010 and we believe that 
innovation requires a policy environment in which individuals feel 
confident that their privacy interests are protected. We thank 
Chairman Boucher and Ranking Member Stearns for putting for- 
ward such a thoughtful and important draft from which to work. 
Their bill and the Best Practices Act include many of the important 
concepts for a comprehensive U.S. privacy law and we strongly sup- 
port Congress’s efforts to legislate in this area. I congratulate you 
on the work you have done to protect consumer privacy and to pro- 
mote continued technology innovation. 

It is Intel’s mission to deliver the platform in technology ad- 
vancements that have become essential to the way we work and 
live. We see computing moving in a direction where an individual’s 
applications and data will move as that person moves through his 
or her day. To manage these applications and data, the individual 
will use a wide assortment of digital devices including servers, 
laptop computers, smart phones, tablets, televisions, and handheld 
PCs. Thus it is necessary that individuals have trust in being able 
to create, process, and share all types of data, including data that 
may be quite sensitive such as health and financial information. 
The provisions in the bills we are discussing today can help provide 
a policy environment which creates that trust. 

I would like to highlight five specific aspects of the two bills. 
First, we are pleased that both bills are technology neutral and 
give flexibility to the FTC to adapt the bill’s principles to changes 
in the technology. Maintaining technology neutrality in the legal 
framework provides protection for individuals in a rapidly evolving 
society as the creation of legislation and regulatory requirements 
will invariably trail innovation of new technology. We specifically 
like the Best Practices Acts guidance given to for the FTC to create 
regulations for certain key provisions of the bill. 

Second, we support federal legislation based upon the Fair Infor- 
mation Practices as articulated in the 1980 OECD Privacy Guide- 
lines. We are pleased that the Boucher/Stearns discussion draft is 
based upon the framework of the Fair Information Practices. Fur- 
ther, we are supportive of Chairman Rush’s bill which goes further 
and includes provisions applying all of the Fair Information Prac- 
tices such as individual access to data, data minimization, and pur- 
pose specification. 

Third, we are pleased that the Best Practices Act includes a pro- 
vision requiring covered entities to engage in the accountability 
processes in the deployment of technologies and services. In addi- 
tion we would advocate that a specific privacy by design require- 
ment also be included in the accountability section. A privacy by 
design model focuses on insuring that privacy is included as a 
foundational component of the product and service development 
process. Such a provision should not require compliance with detail 
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standards or mandatory third party product reviews, but should in- 
stead focus on including privacy into a business’s product and serv- 
ice development processes. 

Fourth, Intel commends both bills for contemplating that certain 
operational uses of data are implicitly consented to by individuals 
and should not require explicit notice and consent. Specifically 
Intel supports the Best Practices Acts drafting of such a use-based 
model. 

Fifth and finally, Intel is strongly supportive of Title IV of the 
Best Practices Act which establishes a safe harbor for participation 
and self-regulatory choice programs. Intel has long been a sup- 
porter of privacy trust mark problems and believes they provide a 
way to work with organizations on their accountability processes. 
We believe that in many instances trust marks and other similar 
mechanisms can substantially increase the reach and the effective- 
ness of government enforcement. This co-regulation is a better solu- 
tion than a private right of action which is likely to result in base- 
less claims, causing organizations to spend resources on litigation 
when those resources could be better directed toward the organiza- 
tion’s privacy compliance program. However, if a private right of 
action is included, then the choice program should continue to pro- 
vide a safe harbor from liability. 

Intel again thanks Chairman Rush and the Subcommittee for 
your excellent work to protect consumer privacy, and to promote 
and continue privacy innovation. We are supportive of the Best 
Practices Act, we look forward to continuing our engagement to im- 
prove the overall protection of privacy. 

[The prepared statement of Mr. Hoffman follows:] 



139 


PREPARED STATEMENT OF 
INTEL CORPORATION 
before the 

COMMITTEE ON ENERGY AND COMMERCE 
SUBCOMMITTEE ON COMMERCE, TRADE, AND CONSUMER PROTECTION 
U.S. HOUSE OF REPRESENTATIVES 
on 

"The BEST PRACTICES Act of 2010" and other 
Federal Privacy Legislation 


JULY 22, 2010 



140 


Introduction 


Mr. Chairman and Members of the Subcommittee, I am David A. Hoffman, Director of 
Security Policy and Global Privacy Officer of Intel Corporation. I appreciate the opportunity to 
appear before you today to discuss federal privacy legislation and specifically the BEST 
PRACTICES Act circulated by Chairman Rush and the discussion draft bill circulated by Chairman 
Boucher and Ranking Member Stearns. 

Intel Corporation has long supported the passage of comprehensive U.S. federal privacy 
legislation, as we believe such legislation is foundational so that individuals can have trust and 
confidence in their use of technology. The two bills include many of the important concepts for 
a comprehensive U.S. privacy law, and we strongly support Congress’ efforts to legislate in this 
area. I congratulate you on the work you have done to protect consumer privacy and to 
promote continued technological innovation. Intel thanks Chairman Boucher for putting 
forward such a thoughtful and important draft from which to build on, and with the minor 
changes discussed below, Intel supports the BEST PRACTICES Act and believes that its 
enactment would help further consumer privacy and the growth of the Internet. 

II. Need for Federal Privacy Legislation 

Intel is the leading manufacturer of computer, networking, and communications 
products. Intel has over 80,000 employees, operating in 300 facilities in 50 countries. In 2009 
Intel had over $37 billion in revenue from sales to customers in over 120 countries. Intel 
develops semiconductor products for a broad range of computing applications. These products 
are some of the most innovative and complex products in history. For example, an Intel Core 17 
processor has over 781 million transistors on each chip. It is our stated mission to serve our 
customers, employees, and shareholders by relentlessly delivering the platform and technology 
advancements that have become essential to the way we work and live. It is part of our 
corporate strategy to fulfill this mission by tackling big problems such as the digital divide, 
education, energy/environment, services, and health. However, we consistently hear that one 
of the barriers for using technology to address these problems is the concern that personal 
privacy will not be protected. Thus, Intel believes that putting in place a legal and regulatory 
system that provides for strong privacy protections is key to the growth of our business. 

Intel currently markets and is in the process of designing a wide array of products to 
work on these big problems. Our core product, the microprocessor, drives computers and 
servers, thus directly impacting the online experience of most individuals. Intel sees computing 
moving in a direction where an individual's applications and data will move as that person 
moves through his or her day. The person will wake to having data on a certain device in his or 
her home, will transition to a car that has access to those applications and data, will have 
access at work (which often will not be in a traditional office), and then will access the data and 
applications after work either at home or while socializing. To manage these applications and 
data, the individual will use a wide assortment of digital devices including servers, laptop 
computers, tablets, televisions, and handheld PCs. Intel's goal is to provide the semiconductor 
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products that will serve as the primary computing components for those devices. It is central to 
our strategy that individuals will have trust in being able to create, process, and share all types 
of data, including data that may be quite sensitive, such as health and financial information, 
Intel is well on its way to innovating these future technologies. However, all of this innovation 
requires a policy environment in which individuals feel confident that their privacy interests are 
protected. 

Intel is not working alone to make these innovations a reality. Companies worldwide 
need to be able to work with each other to bring innovative solutions to the global market. In 
the technology sector, it is rare when one company can work in isolation, whether they are 
creating hardware components, portions of the software stack, or services layered on top of 
the hardware and software. Companies need access to the best available people, processes 
and technology, to continue the innovations necessary to drive the global digital infrastructure 
and remain competitive in the global marketplace. Laws and regulations impacting the ability 
to collaborate and share information need to keep pace with our technical need for such 
collaboration. At the same time, and in addition to these technical preconditions, building trust 
in the digital economy is an essential component of driving the global digital infrastructure 
forward. Building a trusted environment in a systemic way not only benefits consumers and 
increases their trust in the use of technologies, but is vital to the sustained expansion of the 
Internet and future ecommerce growth.’ Intel strongly believes that comprehensive U.S. 
federal privacy legislation is a key mechanism for building this consumer trust in the Internet 
and ecommerce. 

III. Overall Framework of the Bill 


Intel is pleased that the BEST PRACTICES Act is technology neutral and gives flexibility to 
the FTC to adapt the bill's principles to changes in technology. Maintaining technology 
neutrality in the legal framework provides protection for individuals in a rapidly evolving 
technological society, as the creation of legislative and regulatory requirements will invariably 
trail innovation of new technology. Therefore, a focus on the application of principles -- neutral 
to the technology used -- enables a flexible, effective, and timely response. 

We are supportive of providing rulemaking authority to the FTC to flesh out certain 
specific requirements and to adapt the bill’s provisions to changes in technology. This 
rulemaking authority will provide flexibility for the FTC to respond to further innovation in 
technology and business models, and can be further enhanced by the FTC’s use of workshops 
and enforcement guidance. Specifically, we are pleased that the BEST PRACTICES Act allows the 
FTC to conduct rulemakings in several sections: Section 2(8){B) (allows the FTC to modify the 
definition of "sensitive information"); Section 2(10HC) (allows the FTC to modify the definition 
of "third party"); Section 102(b) (allows the Commission to conduct a rulemaking on the 


’ Intel has recently released a paper outlining our vision of the Global Digitat infrastructure, "Sponsoring Trust in 
Tomorrow's Technology: Towards a Global Digital Infrastructure Policy , " available at 
http://biogs.intei.eom/policy/2010/07/intei_releasesgiobaI_digitaMnfrastructure_vision_paper.php. 


2 



142 


content and delivery of notices to consumers); Section 102(d) (allows the FTC to modify the 
retention requirement for notices); Section 201 (allows the Commission to promulgate 
regulations on the accuracy of information); Section 202(j) and (k) (allow the Commission to 
promulgate rules on the exceptions to the right of access); Section 301 (the Commission can 
promulgate regulations on the Safeguards requirement); Section 404 (the Commission can 
approve a Choice Program); and Section 501(c)(2) (the Commission can promulgate rules 
regarding the reconstructing or revealing of identifiable information). 

All of these issues in which Chairman Rush's bill has allowed for the possibility of FTC 
rulemaking are highly contextual. It is critical to note the importance of context and to allow 
flexibility so that the bill can continue to apply to the information necessary to create trust in 
the digital economy. Flaving this flexibility is the only way to ensure that this bill will be able to 
stand the test of time.^ We also are supportive that the bill provides specific criteria that the 
Commission should use in making its determinations in those areas in which the FTC has been 
granted rulemaking authority. Only allowing the FTC to make rules that are consistent with 
congressional intent has worked well in other consumer protection statutes. 

See, e.g. The CAN-SPAM Act of 2003, 15 U.S.C. 7702(17)(B) ("The Commission by regulation 
pursuant to section 7711 of this title may modify the definition in subparagraph (A) to expand 
or contract the categories of messages that are treated as transactional or relationship 
messages for purposes of this chapter to the extent that such modification is necessary to 
accommodate changes in electronic mail technology or practices and accomplish the purposes 
of this chapter."). As with CAN-SPAM, Intel recommends that the FTC make certain that all 
regulations issued under this rulemaking authority should also be technology neutral, and that 
most context specific determinations are best handled by individual enforcement actions. 

We also are generally supportive of the bill's enforcement structure. We are pleased 
that both bills provide enforcement powers to the Federal Trade Commission and state 
Attorneys General. However, we prefer the provisions in the draft by Chairman Boucher that 
do not allow for a private right of action. We believe that allowing a private right of action will 
create unnecessary litigation costs and uncertainty for businesses, but will not have a 
corresponding benefit to protecting consumer privacy. We believe that strong and consistent 
enforcement by the FTC and the state attorneys general is more than sufficient to ensure 
compliance with the statute. Further, allowing for punitive damages, as in section 604 of the 
BEST PRACTICES Act, only further exacerbates the difficulties present in such a scheme. 
However, if a private right of action is included, we recommend also including the safe harbor 
from liability for those organizations participating in an approved Choice Program, as provided 
in Section 401(3) of Chairman Rush's bill. 


^ For instance, we support the bill's recognition of context in the definition of "covered information." The bill 
rightly recognizes that whether a unique persistent identifier, such as an IP addre-ss, should be covered under the 
statute is dependent upon how the IP address is used and whether it can identify a specific individual. 
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IV, OECD Fair Information Practices 


Intel supports federal legislation based on the Fair Information Practices (FIPs) as 
described in the 1980 Organization for Economic Co-operation and Development (OECD) 
Privacy Guidelines. The principles in these guidelines are as follows: 

1) Collection limitation Principle - There should be limits to the collection of personal 
data and any such data should be obtained by lawful and fair means and, where 
appropriate, with the knowledge and consent of the data subject. 

2) Data Quality Principle - Personal data should be relevant to the purposes for which 
they are to be used and, to the extent necessary for those purposes, should be accurate, 
complete and kept up-to-date. 

3) Purpose Specification Principle - The purposes for which personal data are collected 
should be specified not later than at the time of data collection and the subsequent use 
limited to the fulfillment of those purposes or such others as are not incompatible with 
those purposes and as are specified on each occasion of change of purpose. 

4) Use Limitation Principle - Personal data should not be disclosed, made available or 
otherwise used for purposes other than those specified in accordance with principle 3, 
above, except: (a) with the consent of the data subject, or (b) by the authority of law. 

5) Security Safeguards Principle - Personal data should be protected by reasonable 
security safeguards against such risks as loss or unauthorized access, destruction, use, 
modification or disclosure of data. 

6) Openness Principle - There should be a general policy of openness about 
developments, practices and policies with respect to personal data. Means should be 
readily available of establishing the existence and nature of personal data, and the main 
purposes of their use, as well as the identity and usual residence of the data controller. 

7) Individual Participation Principle - An individual should have the right: (a) To obtain 
from a data controller, or otherwise, confirmation of whether or not the data controller 
has data relating to him or her; (b) To have communicated to him or her, data relating 
to him or her (i) Within a reasonable time; at a charge, if any, that is not excessive; in a 
reasonable manner; and in a form that is readily intelligible to him or her; (c) To be given 
reasons if a request made under subparagraphs (a) and (b) is denied, and to be able to 
challenge such denial; and (d) To challenge data relating to him/her and, if the challenge 
is successful to have the data erased, rectified, completed or amended, 

8) Accountability Principle - A data controller should be accountable for complying with 
measures which give effect to the principles stated above. 

V. Applying the OECD Fair Information Practices to these Bills 

Intel is strongly supportive of the overall framework in both of the bills, as they apply 
many of the OECD FIPs principles. For example, we are pleased that Chairman Boucher's 
discussion draft requires express affirmative consent for collecting or disclosing sensitive 
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information, requires reasonable procedures to assure the accuracy of covered information, 
and requires businesses to maintain the security of information. We are especially pleased that 
Chairman Rush's bill goes further and includes provisions applying all of the OECD FIPs, and we 
want to discuss five areas in particular. 

First, we are pleased that BEST PRACTICES Act incorporates the Fair information Practice 
of Individual Participation by including an explicit requirement of providing reasonable access 
to individuals to data that pertains to them (Section 202). Providing individuals access to data 
that relates to them is a necessary mechanism to building trust in the use of technology. We 
believe that the bill contains a reasonable approach that requires a covered entity to provide 
specific information (with a number of well-grounded exceptions) to individuals when the 
entity denies the individual a right, benefit, or privilege based upon the information. Yet when 
the covered entity does not deny the individual a right, benefit, or privilege, then a general 
notice or representative sample is all that is required. This middle-ground approach recognizes 
the realities of business operations, while at the same time providing strong consumer 
protections.^ 

Second, we are supportive of Chairman Rush's incorporation of the data minimization 
principle (Section 303). The large number of security breaches show us that the best way to 
mitigate the potential for harm to the individual is for the organization to minimize the amount 
of information it stores. Additionally, traditionally a data minimization provision is coupled with 
a collection limitation provision, which limits the amount of data to that which is necessary to 
fulfill the specified purpose of the data collection. We believe additional implementation of a 
collection limitation requirement should also be considered during discussions of the bill. 

Third, we support the principle of purpose specification, which is included in Section 
101(3) and (4) of the BEST PRACTICES Act. Purpose specification requires a business to look at 
the facts and circumstances through which the data is collected, and requires analyzing the 
collection from the perspective of why the individual believes he or she is providing the data. 
The OECD definition of Purpose Specification states that the purpose "should be specified not 
later than at the time of data collection." Given that privacy policies are only rarely read in 
detail by individuals, it is more appropriate to look to the context of the collection of the data 
to define the specified purpose. As smaller handheld computing devices are increasingly used 
over the next few years, it will be even more important to focus on the context of the 
collection, as the reading of lengthy privacy policies will be even more unlikely. Thus, we are 
also pleased that Section 102 mandates that notices must be "concise, meaningful, timely, 
prominent, and easy-to-understand" and that the section also takes into account that short 
notices may be appropriate, based upon such factors as the devices upon which notices are 
given. 


^ We are uncertain, however, whether it would be considered a denial of a "benefit" if a covered entity were to 
prohibit an individual from using a free web service based upon information that the entity possesses. However, 
such specific compliance questions iike this could be addressed in rulemaking proceedings. 
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Fourth, we strongly support Chairman Rush's inclusion of the concept of accountability 
in Section 302 of the draft. Accountability is a well-established principle of data protection, 
having longstanding roots in many of the privacy and security components comprising global 
trust legislation.*' Accountability requires an organization to make responsible, disciplined 
decisions regarding privacy and security. It shifts the focus from an obligation on the individual 
to have to understand complicated privacy notices to an organization's ability to demonstrate 
its capacity to achieve specified objectives. The accountable organization complies with 
applicable laws and then takes the further step of implementing a program ensuring the privacy 
and protection of data based on an assessment of risks to individuals. For example, companies 
can demonstrate accountability by innovating to build trust, such as by developing and selling 
more secure and privacy-enhancing component parts that have been vetted through processes 
such as development lifecycles that have privacy and security integrated as foundational 
elements. Intel and other like-minded companies are currently committing significant 
resources to "being accountable" in this way now, and we believe that the accountability 
provision is one of the more significant provisions in the draft.* 

Finally, while some organizations may believe that the Fair Information Practices 
concepts do not provide them with great enough certainty to construct their compliance 
programs, we feel strongly that any bill must be focused on these high level principles and 
concepts so that it will stand the test of time in an environment where technology is rapidly 
evolving. And the bill's approach to allow the FTC to further define and enforce flexible 
requirements, while gaining the assistance of industry and consumer groups to best define 
enforcement guidance, is the correct approach.* 

VI. "Use and Obligations" Model 

Intel is pleased that both bills have incorporated the concepts of "operational purpose" 
and "service provider" and have excluded uses in those definitions from the notice and consent 


** Although the definitions of accountability vary, a good approximation of the accountability concept is the 
following: "Accountability is the obligation and/or willingness to demonstrate and take responsibility for 
performance in light of agreed-upon expectations. Accountability goes beyond responsibility by obligating an 
organization to be answerable for its actions". Center for Information Policy Leadership, submission for Galway 
conference convened with the OECD in Dublin, Ireland. 

* We discuss in Section IX of the te.stimony how the concept of accountability can be incorporated into and 
further defined in a seif-regulatory choice program. 

We would like to point out two additional provisions that might need further clarification as the legislative 
drafting process occurs. First, we have questions regarding the definition of "publicly available information" in 
Section 2(7). Under this provision, we are uncertain whether the phrase "widely distributed media" in Section 
2{7){A)(ii) would include information distributed on the Internet, including "covered information” posted by third 
parties. Second, we are uncertain about how an individual's revocation of consent in Section 103(c) would work in 
practice. That section does not state what obligations a covered entity has with regards to covered information 
once an individual executes a subsequent opt-out. Further, the section is silent as to a covered entity's obligations 
with regards to information already transferred to a third party under a covered entity's privacy policy. 
Operationally, it would be highly impractical to take any action regarding data already legally transferred to a third 
party; if the section is to contain any post opt-out obligations, it likely would have to apply only to subsequent uses 
by the collecting "covered entity” or transfers of data to third parties. 
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provisions, Intel supports what is known as a "use and obligations" model, which has been 
thoroughly explained in The Business Forum for Consumer Privacy's paper entitled "A Use and 
Obligations Approach to Protecting Privacy," available at 

Mtp://www. huntonfiles.com/files/webupload/CIPL_Use_and_Obligations_White_ Paper.pdf. 
The "use and obligations" framework states that the way an organization uses data determines 
the steps it is obligated to take to provide transparency and choice to the consumer, to offer 
access and correction when appropriate, and to determine the appropriateness of the data — 
with respect to its quality, currency and integrity — for its anticipated use. The model notes 
five categories of data use where individuals implicitly give consent to the collecting entity and 
service providers based on the context of the provision of their data. These five categories of 
data use are: (1) fulfillment; (2) internal business operations; (3) marketing; (4) fraud 
prevention and authentication; and (5) external, national security and legal. 

We believe that Chairman Rush's "operational purpose" definition rightly covers these 
five categories of information and appropriately comes to the conclusion that neither notice 
nor choice are required for purposes such as processing a customer's transaction, website 
analytics, fraud prevention, complying with a court order, etc. We slightly disagree with the 
bill's approach on the use of data for marketing purposes, however. 

The BEST PRACTICES Act excludes from the definition of "operational purpose" any data 
that is used for marketing or advertising (Section 2(5)(B)(i)). We believe, however, that notice 
and opt-out choice should not be not required for all marketing activities. Instead, we support 
The Business Forum for Consumer Privacy's model that "just-in-time" notice must be provided 
if the marketing initiatives would not be expected by the consumer. For other marketing, 
companies must provide an easy-to-read, discoverable privacy policy. Because we believe that 
reasonable consumer expectations should be the controlling factor in deciding whether notice 
is required, we thus support the provision in Section 2(5)(B)(ii) that excludes from the definition 
of "operational purpose" the use of information that would not be expected by a consumer 
acting reasonably under the circumstances. We believe that this concept should be guiding for 
both clauses in Section 2(5)(B). 

VM. Privacy by Design 

Over the past several years, regulators in multiple jurisdictions have called for more 
formalized and widespread adoption of the concept known as "Privacy by Design." Privacy by 
Design asserts that the future of privacy cannot be assured solely by compliance with 
regulatory frameworks; rather, privacy assurance must become an organization's default mode 
of operation. The consensus view of these regulators - including the European Union's Article 
29 Working Party, the FTC, and the European Data Protection Supervisor - has been that the 
voluntary efforts of industry to implement Privacy by Design have been insufficient. 

Although Intel is pleased that Section 302 of the BEST PRACTICES Act incorporates the 
principle of accountability (of which Privacy by Design is one form), we believe that Section 302 
should specifically include a Privacy by Design provision as well. A Privacy by Design principle 
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should encourage the implementation of accountability processes in the development of 
technologies and services. To achieve its objective, the principle should avoid mandatory 
compliance to detailed standards, or mandatory third party detailed product reviews, as this 
would decrease time to market and increase product costs. This would be particularly the case 
when it is unclear whether third parties would have the appropriate resources or skill sets to 
effectively review the technology. Instead, a Privacy by Design accountability model should 
focus on making certain privacy is included as a foundational component of the product and 
service development process. 

Intel views Privacy by Design as a necessary component of our accountability 
mechanisms that we implement in our product and service development processes. We would 
encourage the Subcommittee to include a provision in the bill specifically requiring that 
organizations ensure that privacy is included as a principle in product and service development 
processes. 

VIII. Self-Regulatory Choice Program 

Intel strongly supports Title IV of the BEST PRACTICES Act, which establishes a safe 
harbor for participation in a self-regulatory choice program. Intel has long been a supporter of 
privacy trust mark programs, and believes they should be fostered to provide mechanisms to 
work with organizations on their accountability processes. In the past, I have served on both 
the Steering Committee for BBBOnline, and on the Board of Directors of TRUSTe (on which I 
was Chair of the Board's Compliance Committee). Privacy trust marks, when provided with the 
benefit of a safe harbor through legislation, and when assisted by robust regulatory 
enforcement, can be the best mechanism to make certain that companies proactively put in 
place the organizations, systems, tools, policies, and processes necessary to proactively respect 
the privacy of individuals. We believe that in many instances, this co-regulation can be more 
effective than government or private enforcement alone, and we are pleased that the bill will 
incentivize businesses to participate in strong and robust programs. 

We encourage the drafters, however, to specifically link the Accountability principle 
found in Section 302 back to Title IV's self-regulatory choice framework, and make explicit that 
participants in a self-regulatory choice program must incorporate accountability concepts into 
their requirements. Additionally, when the ETC is devising the criteria that must be present in 
self-regulatory programs in order to gain approval under the statute, we encourage the 
Commission to look to the work currently occurring between industry, think tanks, and 
government representatives that is further defining the elements of an accountable 
organization.^ 

Further, such Choice Programs will only be effective if individuals have knowledge of the 
opt-out provisions of Section 403(1)(A). We thus support the consumer and business education 


^ We would specifically direct the FTC's attention to the Center for Information Policy Leadership's Galway 
Project, mentioned above. 
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campaign required under Section 702 of the BEST PRACTICES Act. The FTC conducted a highly 
successful education campaign to promote the National Do Not Call Registry,® and we are 
pleased to see that a similar effort would be conducted with this bill. 

IX. Conclusion 


Intel again thanks Chairman Rush and the Subcommittee for the opportunity to engage 
in this debate. We are appreciative of the considerable thought that was put into both bills, 
which has allowed us to have this discussion today. In addition, Intel is supportive of moving 
forward with the BEST PRACTICES Act, and we look forward to continuing our engagement in 
helping to think about ways to improve the effectiveness of the U.S, legal framework and the 
overall protection of privacy. 


See www.donotcall.gov. 
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Mr. Rush. Mr. Mierzwinski, you are recognized for 5 minutes. 

TESTIMONY OF ED MIERZWINSKI 

Mr. Mierzwinski. Thank you very much. Thank you very much 
Chairman Rush and Ranking Member — I was trying to work my 
timer — this one is not working, but I will try to stick to 5 minutes. 
Ranking Member Whitfield, members of the Committee, I am Ed 
Mierzwinski. I am Consumer Program Director for the Public In- 
terest Research Group, U.S. PIRG. My testimony as submitted in- 
cludes co-signed by the Consumer Federation of America and the 
Center for Digital Democracy. Since then four other organizations 
and I will provide this for the record: Consumer Action, the Con- 
sumer Watchdog, Privacy Rights Clearinghouse, and the World Pri- 
vacy Forum have also endorsed the testimony. 

I want to start out with one point that is really the main point 
that I want to make, and that is that the current digital marketing 
system does not meet consumer’s expectations of privacy. A recent 
study by two leading universities, the University of Pennsylvania 
and the University of California at Berkeley, found that most con- 
sumers believe that the government already protects their privacy. 
It does not. Instead we have a digital marketing system that I call 
or could call the Hoover model, and I am not talking about J. 
Edgar. I am talking about the vacuum cleaner. The vacuum cleaner 
model of collecting every bit of information, every web track that 
a consumer ever makes and keeping it forever is the way that com- 
panies like in their virtually unregulated digital ecosystem. And we 
have a system right now where the Federal Trade Commission has 
been hobbled for 30 or 40 years by limits on its ability to improve 
the rules that — and that and enforce the rules by the Maggots and 
Moss rulemaking that was imposed on it that this Committee tried 
to fix in the Wall Street Reform Act, but unfortunately the Wall 
Street Reform Act did not finally give the Federal Trade Commis- 
sion fully capable of making authority or full aiding and abetting 
liability, or the full ability to impose civil penalties, and we would 
hope that that would be on the committees agenda to continue to 
try to achieve those goals. 

But — so our organizations share long-standing concerns for con- 
sumer privacy and look forward to working with the Committee on 
these matters. And the Committee has had a long-standing history 
of bipartisan bases working on consumer privacy, so we are very 
encouraged by the work that was done first by Chairman Boucher 
and Ranking Member Stearns, and then by you. Chairman Rush, 
in putting together your thoughtful proposals. 

However, our concern is that the proposals tend to graft Fair In- 
formation Practices on top of the digital ecosystem that it just 
won’t work as well as a full Fair Information Practices based provi- 
sion might work. So we are suggesting that the committee start 
over and among the key elements of a revised bill would be a 
framework focused on overall data minimization. Anyone who 
knows the online and offline data collection industry will tell you 
that the focus is on data maximization, as I said, the Hoover 
model. “Every move you make” as the lyrics of the Police song go 
could be the data collection industry’s theme song as we are all 
being watched, compiled, analyzed, and then acted upon. While 
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tools involving opt-in and safe harbors for example provide greater 
control by a consumer, they do not constrain the dramatic and far 
reaching growth of online and offline data collection for personal- 
ized and innovative targeting. A vast automated and powerful data 
collection complex has emerged capable of generating and contin- 
ually revising a profile, a consumer x-ray of our habits, interests, 
worries, financial status, and everything else about us. It is now 
being collected not just on the Internet, but also whenever we use 
a cell phone, or play an online game, or use any other variety of 
electronic gimmickry that we might be carrying around with us. 

Some of the specific concerns that we have, again we think the 
bills are thoughtful for a start, but we would urge you to consider 
a few other things. First of all notice and choice are not enough. 
And I totally agree with the other witnesses that these bills go fur- 
ther than the industry preferred FIPs light of notice and choice. 
But we need to have a greater reliance on limiting the amount of 
information that is collected, used, and shared, increasing the 
knowledge of consumers, limiting data retention, and maximizing 
data minimization. 

The second, self-regulation has not worked. The Federal Trade 
Commission under various Administrations has failed in self-regu- 
lation, as has the industry. And there are several reports that I cite 
in my testimony that go through the details of how first the indi- 
vidual references service group self-regulatory body that sup- 
posedly regulated information brokers didn’t work in the 1990’s, 
then we have the network advertising initiative didn’t work, and 
there is an TAB provision that was started last year that we don’t 
think has worked. So we think we need greater oversight, greater 
statutory protections, and we need a broader private right of ac- 
tion. Although the Rush bill has a narrow private right of action, 
we don’t think enrich trial lawyers. We think private rights of ac- 
tion deter lawlessness and they encourage companies to comply 
with the law. And second, we believe that state laws should always 
be allowed to be stronger than federal law. If you have got a good 
enough federal law the states will move on and do other things. 
But if Congress doesn’t solve the job we need the States as quick 
responders to new problems. 

With that I will just conclude my comments and tell you that I 
am very pleased for our organization’s want to continue to work 
with you to refine and enhance this legislation. Thank you. 

[The prepared statement of Mr. Mierzwinski follows:] 
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Chairman Rush, Representative Radanovich and members of the committee: My name is 
Edmund Mierzwinski, Consumer Program Director for the non-profit, non-partisan U.S. Public 
Interest Research Group. My testimony today is also on behalf of the tbllowing consumer and 
privacy organizations, the Center for Digital Democracy and the Consumer Federation of 
America.’ 

Thank you for the opportunity to testify before you on the important matter of how information 
about consumers is collected and u.sed by businesses in the online and offline worlds. This 

legislative hearing examining H.R, , the “BEST PRACTICES Act,” and H.R. , a 

discussion draft to require notice to and consent of an individual prior to the collection and 
disclosure of certain personal information relating to that individual, is very timely. Every day, 
the collection and use of consumer information in a virtually unregulated marketplace is 
exploding. New technologies allow a web of interconnected businesses - many of which the 
consumer has never heard of - to assimilate and share consumer data in real-time for a variety of 
purposes that the consumer may be unaware of and may cause consumer harm. 

In this testimony, we hope to provide background on why granting consumers greater control of 
their personal information is critical public policy, why holding data collectors to compliance 
with the Fair Information Practices matters, and how the new ecology of data collection works. 
We will then comment on Chairman Rush’s proposal, the Best Practices Act, and on another 
draft bill before the full committee as circulated by members Boucher and Steams, and how 
those bills approach the problem and recommendations for improvements, 

Our organizations share longstanding concerns for consumer privacy and look forward to 
working with the committee on these matters. The committee has a long history of protecting 
consumer privacy on a bi-partisan basis, going back to its efforts to strengthen the 1999 Gramm- 
Leach-Bliiey Financial Modernization Act (GLBA). As passed, GLBA provided for greater 
privacy protection in the financial marketplace and allowed states to enact stronger financial 
privacy laws, although the Energy and Commerce committee’s laudable additional goal of 
requiring opt-in consent for data collection and sharing was unfortunately not achieved.^ 

SUMMARY 

Consumers today are surrounded by a powerful, sophisticated and ever growing marketing 
"ecosystem," which collects data from and about them, offline and online, in myriad ways. 
Collection points include online games, mobile phones, online video, email, display ads, search, 
in-store transactions, and public records - all these channels are tied together increasingly in 
real-time updates where users can be bought and sold instantly no matter where they may be. 

The lesson from the financial meltdown and the new financial law should be that Congress must 
proactively protect consumers - not as an afterthought. Consumers throughout the country 
increasingly depend on digital technologies to help them address critical issues related to their 
finances, health, and families. 


' Web addresses: U.S. PIRG (uspirg.org). Center for Digital Democracy {democraticmedia.org), Consumer 
Federation of America (consumerfed.org). 

^ Disclosure of Nonpubiic Personal Information, Public Law 106 - 102 , 15 U.S.C. § 801-6809, see Section 6807, 
Relation to State Laws, available at blt p://www.ftc,gov/privacv/glbact/glbsubl . htm ii6 807 last visited 21 July 2010) 
“(b) Greater protection under State law. For purposes of this section, a State statute, regulation, order, or 
interpretation is not inconsistent with the provisions of this subchapter if the protection such statute, regulation, 
order, or interpretation affords any person is greater than the protection provided under this subchapter. , 
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Today, the public has to maneuver through a complex array of increasingly personalized 
interactive services, including mobile and location-based applications, online videos, and social 
networks, as they seek information and engage in various transactions. Digital marketing poses 
new challenges to consumers, since it is able to combine ongoing data collection about 
individuals as they interact with entertainment or other information. The emergence of mobile 
and location-based marketing services, which permits the tracking and targeting of an individual 
in a “hyper-local” geographic area, adds a new dimension to consumer protection issues online. 
Beyond privacy concerns from data collection, a myriad of complex techniques used to market to 
consumers — including online “viral” peer-to-peer social media promotions, “smart” ads that 
learn about an online user so its offer can be changed in real-time, and even the use of 
neuroscience techniques designed to deliver marketing messages directly into one’s 
subconscious (neuromarketing) — are now regularly in use and can pose real harms. 

Financial service advertisers spent some $2.8 billion last year to target U.S. consumers online — 
for mortgages, credit and credit cards, insurance, and loans for education. A new era in financial 
marketing has emerged, with consumers increasingly relying on the Internet — including mobile 
devices — to research and apply for loans, credit, and engage in other financial transactions. 

While the Internet can help inform consumer decision-making about financial products (and be 
tremendously convenient), it can also be a confusing — and sometimes intentionally misleading — 
sales medium. Few consumers are aware of how the online financial marketing system operates, 
including the role of data collection for targeting an individual consumer for a specific loan or 
financial product. 

To aid in understanding the new system of behavioral targeting in the Internet, last fall our 
organizations, joined by other leading consumer and privacy organizations, prepared a detailed 
“Online Behavioral Tracking and Targeting: Legislative Primer.” That primer included detailed 
legislative recommendations, which we incorporate by reference to this testimony.^ 

Consumers need a level playing field at least, in an era where marketers work to 'immerse" them 
in applications designed to even subconsciously reveal or provide valuable data. A new law is 
required, but one which limits overall the data that can be collected from consumers; ensures that 
consumers have real control when personal data is used for purposes beyond that for which they 
provided it; and provides for effective enforcement of consumers’ rights. The US should work 
with the EU to develop a meaningful global framework - there is no reason why EU citizens 
should have greater privacy controls and rights than those in US, and since many of the 
companies that would be subject to US privacy law also operate on a multinational basis, it 
would be easier for them to comply with similar standards. 

DISCUSSION AND COMPARISON OF THE APPROACHES OF THE TWO ONLINE 
PRIVACY BILLS BEFORE THE COMMITTEE 

In general, while we respect the great deal of thoughtful work that has gone into crafting the two 
bills before the committee, our initial comment is that they presume the validity of the current 
system of data collection and are built around that presumption, rather than starting from the 
place that we would prefer, which is a broader Fair Information Practices-based (FIPs) 


^ The legislative primer is avaiiabie at http:,y www.deniocraticTned ia.or2./fiies/priva cv-le gi sial!ve-Drimer.pdf 
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framework. To truly protect consumers’ privacy, we need to change the paradigm to a more 
consumer rights-based approach, as we have done with credit reporting, for instance. Commerce 
will adapt and thrive based on the parameters that public policy sets for consumer privacy. 

Put another way, the bills don't track well with a citizen/consumer's rights in such a FIPs 
framework. The bills don’t address the massive growth in data collection, by requiring 
meaningful data minimization and limits to data retention, for example. The bills largely sanction 
the existing and worsening regime of ongoing collection, analysis and use of off- and online 
data, through the industry-preferred regime of notice and choice (not the full FIPs framework). 
While it is very clear that the Rush Best Practices biil makes a more substantial attempt to 
comply with more elements of the Fair Information Practices, neither bill is primarily based on a 
FiPs-framework. Instead, they tend to graft some FIPs rights for consumers and responsibilities 
for data collectors onto a system that is based on excessive information collection. 

We continue to believe that the notice and choice model promotes bureaucracy but does not 
promote privacy. A privacy bill that actually creates some privacy will need to set strong rules 
that directly protect consumer privacy, or at least be more firmly based on the Fair Information 
Practices (FIPs) that have been the foundation of U.S, privacy policy for the past four decades. 
We believe that the bills should be restructured to follow the FIPs, in much the same way. The 
bills both make substantial contributions and include many concepts that privacy groups and 
FTC staff have concluded are key to protecting privacy. 

We now will discuss key elements of the bills and make recommendations for improvements. 

1) Key Definitions 

Covered Information: Both bills include personal identifiers such as the Internet Protocol 
address in the definition of “covered information.” This is crucial, because assumptions can be 
made about consumers and they can be treated in certain ways based on such identifiers, without 
the need for other personal information such as a person’s name or physical address. The FTC 
staff report on Behavioral Advertising recognizes the risks posed by IP addresses.'' Incorporating 
these findings in legislation enhances consumer protection. 

Sensitive Information: The definition of “sensitive information” in the Best Practices Act is 
better than in Mr. Boucher’s discussion draft bill because it is more expansive, especially in the 
areas of health and finances. For example, “sensitive infonnation” under the Boucher bill 
includes “medical records, including medical history, mental or physical condition, or medical 
treatment or diagnosis by a health care professional,” However, this would not cover situations 
such as when a consumer researches cancer or another disease online. As that search is not part 
of “medical records,” the information may be collected and used to make judgments about the 
consumer for any purpose, including employment and insurance. Similarly, the Boucher bill 
includes information related to financial accounts in the definition of “sensitive information,” 
whereas the Best Practices Act definition encompasses income, assets and liabilities, a broader 
range of financial information. 


■' FTC Staff Report: Self Regulatory Principles for Online Behavioral Advertising, 21-25, (Feb 2009), 
http://www.fte.gOv/os/2009/02/P085400behavadreport.pdf. 
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We further recommend protection for the sensitive information of adolescents. Adolescents are 
particularly vulnerable to marketing and profiling.^ We recommend that sensitive information 
include age or inferences of age, if under 18, and any infonnation associated with a profile that 
has age under 1 8. This will provide protections for those who are marked and targeted as being 
adolescents. 

Operational Purposes: The definition of “operational” in the Best Practices Act is also an 
improvement over the definition in Mr. Boucher’s draft, which is much too vague. 

Affiliates and Third Parties: We are pleased that the Best Practices Act takes a slightly 
different approach to affiliates. Instead of allowing unfettered sharing of covered or sensitive 
information with affiliates, as Mr. Boucher’s draft would do, the Best Practices Act would not 
allow sharing or use of such information with affiliates if consumers are unlikely to be aware of 
the affiliation or would not expect that sharing or use to take place. Such affiliates are 
appropriately treated as Third Parties, which protects consumers better. Business reasons may 
dictate the presentation of different brand and corporate images to consumers. Legislation which 
recognizes that businesses create different consumer expectations and loyalties protects 
consumer expectations and creates incentives for consumers to be properly informed of how 
their data is shared. 

2) The Opt-Tn and Opt-out Schemes and Exceptions in the Two Bills 

We expect industry to push back hard on the very notion of opt-in consent, as (somehow) 
striking at the very fabric of the economy. We challenge the conventional wisdom that privacy 
legislation that is based on an opt-in approach is not feasible. There is absolutely no reason why 
an opt-in approach cannot work, and work well. It is ironic that while many in the business 
community profess to want to offer consumers real and meaningful control over the collection 
and use of their data, these same companies and associations are unwilling to provide the most 
effective means of control for consumers - opt-in. We heard similar objections before the wildly 
popular national “Do Not Call” registry was implemented, and even after when its legality was 
unsuccessfully challenged. We were told that it would be the end of direct marketing and that 
consumers would no longer be able to obtain the products and services they wanted at affordable 
prices. This was nonsense, as the objection to opt-in is nonsense now. Businesses will become 
more innovative and responsive to consumers’ desires concerning the collection and use of their 
data if they must first ask for their express affirmative consent. There are those in the industry 
who have said that privacy legislation ensuring consumers have greater control over their data 
will actually bolster the online economy. They correctly, in our opinion, see the benefits to 
brands and advertisers when consumers are more confident about how their information is being 
treated online.* 

We are pleased that in both bills, consumers’ affirmative consent - opt-in - is required if a 
change in a covered entity’s privacy policy means that covered or sensitive information 
previously collected about consumers could be used or shared in a manner not previously 
disclosed. 


’ See Comments of CDD, et. al., COPPA Rule Review, 40-43 (June 2010), 
http://www.ftc.gOv/os/commenfs/copparulerev2010/547597-00046-54855.pdf. 
^ See http://www.digidaydaily.com/stories/the-boucher-bill-right-on-time/. 
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Congress should recognize that in today’s data collection environment, consumers face 
practically insurmountable obstacles when it comes to comprehending — let alone controlling — 
how and why their information (including on their behaviors) is being collected, analyzed and 
used. Research from leading privacy academics has demonstrated that the current reliance on 
privacy policies, which in effect buries clear disclosure in a form of digital fine print, doesn’t 
help inform consumers. Even if the FTC, as proposed by the bill introduced by Chairman Rush, 
develops a new standard for such notices, many privacy and consumer experts believe that they 
will do little to actually help consumers maneuver through a system purposely designed to 
encourage them to consent to data collection. That is why most of the leading consumer and 
privacy groups support an opt-in regime for the collection of information. An opt-out regime will 
not stem the data collection tide that threatens consumer interests 

If secondary use of consumers’ personal information can truly benefit them, why shouldn’t 
covered entities be required to explain exactly how and obtain their affirmative consent? We 
recommend that non-sensitive information should only be allowed to be collected and used for 
non-operational purposes for 24 hours, after which opt-in consent would be required to continue 
to store and use it. 

We also recommend that Congress consider mandating the creation of a “Do Not Track” registry 
to provide consumers with an easy-to-use, effective means of controlling the most invisible 
collection and use of their personal information, behavioral tracking and targeting. This is when 
information about their online and offline activities is used to build profiles of them for 
marketing and other purposes. The assumptions made about consumers through behavioral 
tracking may be inaccurate - who among us has not searched online for information about a 
friend or reiative’s heaith problems, or purchased something for another person that we would 
not have bought for ourselves? And some consumers may simply not want to be tracked on 
principle. Consumers should be able to avoid all behavioral tracking and targeting if they wish 
through one easy step. This would work in much the same way as the federal “Do Not Call” 
registry, except that instead of consumers putting their own Internet Protocol Addresses in the 
registry, entities that engage in behavioral tracking and targeting would submit the technical 
information to the registry that would enable consumers to block those activities. The FTC can 
consult with experts to build such a system. 

But even with the required notice and opt-in, consumers may not be able to fully appreciate how 
information about their health, finances, race or ethnicity, sexual orientation, religious beliefs, 
political beliefs and data about their location might be accessed and used, for purposes they 
never anticipated. For instance, a consumer searching for mortgage information is unaware that 
she is being tracked as she searches for the best deal online and that her “profile” may contain 
information about her race, ethnicity, financial condition, health concerns, where she travels, and 
other sensitive information that can influence the kinds of offers and products that she may 
receive. We commend the bills for advancing safeguards related to sensitive information, 
although more protections are required. Many consumer and privacy groups are especially 
pleased that the bills declare racial/ethnic and sexual orientation related information as sensitive 
data. We applaud that strong .safeguard as a significant advance to protect consumers and citizens 
from emerging new forms of racial and other types of profiling that we believe can be used to 
discriminate against them, including involving issues of critical importance to their welfare. We 
know that in particular. Chairman Rush has been publicly concerned about these issues, and we 
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wish to take this opportunity to also thank him for his leadership on this issue. We commend 
both bills for inclusion of geolocation information — a critical consumer protection advance that 
recognizes that in this new era of “smart” phones and what’s called hyper-local targeted 
marketing, it is essential that such highly private information is completely under the control of 
the individual. As w'e explained in a complaint’ filed last year at the FTC, today’s mobile 
marketing environment combines information about one’s behavior [behavioral targeting] with 
knowledge of a consumer’s actual location. Geolocation information, including the history of 
where we and our families spend time, requires the highest form of consumer privacy control. 

But we also strongly urge the Committee to strengthen its protections for sensitive information. 
As we have explained to the FTC and other federal agencies, consumers are unaware about the 
data collection and behavioral marketing processes that now underlie their activities involving 
such sensitive transactions as using tlie Internet to research and then pursue financial 
transactions, including mortgages and other forms of loans and credit. Nor are they likely to 
recognize that when investigating concerns about a medical issue, they can become the subject of 
what’s called “condition targeting” by the online health marketing industry. Chairman Rush’s 
bill correctly requires the FTC to conduct a specific rule-making on the issue of sensitive data, to 
potentially amplify what subjects and areas should also be included. Wliile we greatly support 
this provision, we hope we can w'ork wMth this committee. Chairman Boucher, and other 
members to strengthen the section on what should be included in this extremely critical to 
consumer welfare section. 

We also note that storing and sharing sensitive information puts consumers at risk of identity 
theft and other crimes. To truly protect consumers, legislation should prohibit sensitive data from 
being collected or used for any purposes other than for the transactions for which they have been 
provided. The bill just introduced by Chairman Rush requires third parties to only use sensitive 
data based on affirmative opt-in consent for a specific purpose only— which we support. The use 
of sensitive data by first parties should be granted narrowly as well, for a limited specific 
purpose. 

We recommend that non-sensitive information should only be allowed to be collected and used 
for advertising purposes for 24 hours, after which opt-in consent would be required to continue 
to store and use it. We believe that consumers should be given as complete control over the data 
collection, profiling and targeting process. Not everyone will wish to participate in so-called 
“Safe Harbor” approaches and other longer forms of opt-out. Data collection, profiling and 
targeting practices beyond an initial 24 hour period for non-sensitive information should require 
affirmative consent from a consumer. 


’ Complaint and Request for Inquiry and Injunctive Relief Concerning Unfair and Deceptive Mobile Marketing 
Practices, Center for Digital Democracy and U.S. PIRG January 2009, (available at 
httpr'/vvww.democraticniedia.org/Iiies/FTCmobile coninlaintOlOO.ndf l 
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3) Access, Correction, Data Retention and Other FIPs Issues 

We note that neither bill requires covered entities to limit the collection of personal information 
to that which is necessary for the transaction or activity in which the consumer is engaging - a 
fundamental element of the Fair Information Practices. This, again, is why opt-in should be the 
standard, not-opt-out, when information will be used for secondary purposes. There is also no 
limit to the amount of time that covered or sensitive information can be retained and used, 
beyond an 18-month retention limit for managed profiles in Mr. Boucher’s bill. The Federal 
Trade Commission should be instructed to set reasonable retention limits. 

We are pleased that the Rush Best Practices Act addresses the issue of access and correction for 
consumers, another important Fair Information. Legislation must ensure a consumer’s right to 
not only access their profile and related information, but a fair process where they have the right 
to delete incorrect data, yet neither bill provides this protection. 

We are also pleased to see the provisions in the Best Practices Act for data security and privacy 
risk assessments. 

4) Concerns about Use of Aggregated and Re-Identified Information: 

We are pleased that provisions in the bill by Chairman Rush to establish safeguards for the use of 
so-called re-identified data, designed to prevent the reconstructing of information on a consumer. 
However, in today’s advanced data mining and informational targeting environment, so-called 
aggregate information can help provide a detailed analysis of a consumer. The FTC should be 
authorized to conduct a rulemaking on the appropriate use of aggregate and so-called de- 
identified data that would both articulate best industry practices and establish the necessary 
consumer privacy safeguards. 

5) Use of Consumer Profiles and Discussion of Issues of Consumer Harms 

Members of the data collection industry, including digital marketers, have established a far- 
reaching system of consumer profiling. Today, as we have discussed, so-called real-time ad 
auctions actually sell access to our online profiles to the highest bidder. Consumers require a 
system where such profiles are closely analyzed and assessed, including by regulators. The 
propriety of the online profiling system for consumer targeting — now across the offline and 
online platforms, including mobile — ^must be questioned. We urge the committee to require the 
FTC to engage in a Rulemaking on the issue of profiles and what are appropriate policies for 
their role. We especially suggest the FTC be mandated to examine how the use of online profiles 
raises consumer protection concerns in such areas as health and financial transactions a 
consumer makes. 

6) Concerns About “Publicly Available Information” 

We are concerned that this provision creates an unfortunate loophole which sanctions the 
collection and use of greater amounts of data on an individual consumer. As the Chairman and 
the committee recognize, in today’s online environment information about us is often made 
available without the consumer realizing that it will be swept into a profile or some other form of 
commercial database. If we pose a picture of our friends at some celebration on our social 
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network, and we are toasting the birthday of a friend, should that be included in what’s to be 
considered a database for commercial use? There should be meaningful limitations on what is 
considered publicly available information in this new era. The FTC should be empowered to 
conduct a rulemaking to set reasonable limits that will protect consumers. 

7) Concerns About the Self-Regulatory' Safe Harbor Scheme 

We are concerned about the Rush safe harbor provision for covered entities that participate in 
self-regulatory programs because experience has shown that such programs have fallen far short 
of ensuring adequate protection for the privacy and security of consumers’ personal information 
in the past. While that safe harbor provision - including its universal opt-out requirement - in 
the Best Practices Act is more robust than the exception in Mr. Boucher’s discussion draft for 
entities that participate in self-regulatory programs, it needs to be significantly strengthened if it 
is retained in the legislation. As do too many other parts of the bill, the system relies extremely 
heavily on FTC rulemaking and enforcement, rather than on more specific guidelines and private 
rights of action. Any measure that provides for FTC-approved self-regulatory programs must 
require the FTC to closely monitor and test those programs, rather than relying on the program 
operators to test and monitor themselves. 

We note that evidence from the Federal Trade Commission’s previous encouragement of self- 
regulatory schemes is not promising. As Hoofnagle,* (2005), notes: 

“In 2000, a 3-2 majority of the FTC formally recommended that Congress adopt 
legislation requiring commercial web sites and network advertising companies to comply 
with Fair Information Practices. However, a year later with the appointment of a new 
FTC Chairman, the FTC embraced self-regulation again,” 

He then goes on to say: 

“The overall effect of the FTC's [self-regulatory] approach has been to delay the adoption 
of substantive legal protection for privacy. The adherence to self-regulatory approaches, 
such as the Network Advertising Initiative that legitimized third-party Internet tracking 
and the Individual References Service Group principles that concerned sale of SSNs, 
allowed businesses to continue using personal information while not providing any 
meaningful privacy protection. Ten years later, online collection of information is more 
pervasive, more invasive, and just as unaccountable as ever — and increasingly, the public 
is anesthetized to it.” 

Similarly, Dixon® (2007) found the following, in a report on the Network Advertising Initiative 
(NAl): 


® Hoofnagle, Chris Jay, Privacy Seif Regulation: A Decade of Disappointment (January 19, 2005). Available at 
SSRN; http://ssm.com/abstract=650804 or doi:10.2I39/ssm.650804 

” Dixon, Pam, Network Advertising Initiative: Failing at Consumer Protection and at Self-Reguiation, World 
Privacy Forum, (November 2007). Available at 

htt D://www.worldprivacvforum.org/odfAVPF NAl report Nov2 2007fs.D df 
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The NAI has made no attempt to extend its self-regulatory structure to reflect 
developments in the Internet sector or in business practices. Its conception of online 
profiling grew rapidly stale. For example, techniques exist today for tracking of 
consumers that do not rely on traditional cookies. As time passed, the NAI self- 
regulation’s effectiveness toward consumer protection became less effective or and less 
relevant. 

We are encouraged by the efforts of the current FTC to study behavioral targeting, hold 
workshops and make positive recommendations. Nevertheless, the FTC’s historic efforts at 
replacing privacy protection with privacy self-regulation have not been positive. Robust rules 
based on Fair Information Practices are required. 

8) The Bills Need Stronger Private Rights of Action 

The Boucher bill (section 9) would block consumers from taking legal action to enforce their 
rights. As you know, federal and state agencies play important roles in protecting the public, but 
they cannot and do not take action to resolve every situation in which consumers’ rights have 
been violated. It is essential for individuals to be able to enforce their privacy rights and stop 
egregious practices. A private right of action must be provided to help ensure a level playing 
field and iiicentivize companies to respect and protect consumers’ privacy, 

While the Rush bill grants very limited private rights of action for certain willful violations (a 
high standard), why not give consumers full legal rights to enforce the law? 

Instead, both these bills bow to industry demands to limit consumer rights to police the 
marketplace. Private rights of action are not designed - as industry rhetoric would have you 
believe - to enrich trial lawyers. Rather, the threat of a private right of action deters unsavory 
practices and encourages compliance with the law. Conversely, the lack of private rights of 
action encourages companies to ignore the law. 

The marketplace functions best when consumers, federal agencies and state attorneys general can 
all enforce strong laws, and states can enact stronger laws when new or local threats emerge. 

9) The Bills Need Stronger State Enforcement and Less Preemption 

We are very concerned about the sweeping preemption in the current draft of the 
Boucher/Steams legislation. The bill preempts state or local laws or regulations that include 
“requirements for the collection, use, or disclosure of covered information.” This is incredibly 
broad and could block existing or new measures on the state level to limit the use of certain types 
of information, such as Social Security numbers, to notify consumers of data breaches, to protect 
health data, and to extend other needed privacy protections to consumers. 

While the Rush draft incorporates a narrower form of preemption, its provisions are still 
problematic. Rather than a broad preemption, we recommend that any final bill set minimum 


See, eg. Remarks of David Vladeck, Director, Bureau of Consumer Protection, Exploring Privacy; A Roundtable 
Series, Berkeley, CA (28 January 2010) available at 
http://www.ftc.gnv/speecli e.s/vladeck/100 l28exDloringprivacv.pdf 
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standards for privacy protection and allow states to create stronger laws and regulations to 
safeguard consumer data against misuse and abuse if necessary. The stronger the final bill is, the 
less likely that there will be any significant gaps that states will feel compelled to fill. 

We also believe that state attorneys general should always have the ability to enforce the federal 
law, or their state laws, and then in either state or federal court, and not be restricted to federal 
courts. 

10) Other Concerns (Lack of A Findings Section) 

We believe that there should be a strong findings section at the beginning of the bills. We urge 
you to carefiilly review our suggestions, as we are working toward the same goal: to protect the 
interests of Americans while maintaining and increasing robust commerce. In fact, providing 
meaningful protection for consumers’ data is necessary in order to ensure their confidence in our 
increasingly complex marketplace. The argument that we must choose between privacy or access 
to a broad array of reasonably attainable goods and services is false. American business can 
deliver both, and we should demand no less. 


CONCLUSION 

We commend Chairmen Rush and Boucher, along with Ranking Member Stearns (and other 
members of the committee), for helping advance a much needed legislative debate about the best 
way to protect consumer privacy. Consumer and privacy groups recognize the important role that 
online marketing and advertising piay, as a source of revenues for online and other publishing, 
and as a robust sector of the digital economy. We also recognize that data collection, online and 
offline, plays an important role — perhaps the most critical one — for the industry’s future. 

But contemporary data collection practices, especially online, far surpass what consumers may 
have become familiar with on a day-to-day basis. Not only are our behaviors online closely 
tracked and analyzed (such as the content we like or tend to avoid; what we are willing to pay for 
or what we discard from online shopping carts), but consumers are confronted with an array of 
interactive ads purposely designed to elicit, sometimes subconsciously, greater amounts of our 
data. Today, as U.S. PIRG, Center for Digital Democracy and others recently filed at the FTC, 
so-called real-time ad exchanges auction consumers off to the highest bidder, so that they can be 
targeted for marketing wherever they might happen to be online. All this is done in a non- 
transparent, unaccountable manner, without the consumers’ knowledge or consent. 

A vast, automated, and powerful data collection complex has emerged, capable of generating and 
continually revising a profile — a consumer X-Ray — of our habits, interests, worries, financial 
status, families. These applications can hone in on an individual consumer, and almost instantly 
create an interactive ad that continues to transform itself as it stealthily “leams” about the 
interests of a single consumer. Google’s recent acquisition of Teracent, one of the companies 
focused on so-called “Smarf ’ ads, is just one example of why online marketing’s ability to 
encourage a consumer to provide data demands a rigorous framework to protect con.sumer 
privacy. As the company explains, “Teracent deploys an unlimited number of ad creative 
combinations (using your catalogs, databases, images, and messages) through a single ad unit. 
Then, sophisticated machine learning algorithms instantly select the optima! creative elements 
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for each ad impression - based upon a real-time analysis of which items will convert from 
impressions into sales.”" 

We firmly believe that the U.S. should be the global leader in creating a policy framework 
shaped by FIPs that greatly aids the growth of the digital marketing industry. While advances in 
so-called computational advertising reflect an important contribution to innovation and can help 
spur the growth of ad revenues, they must be guided by a framework grounded in the 
requirements of consumer protection in a democratic society. That’s why we — consumer and 
privacy groups and other concerned citizens — ^want to work with Chairman Rush, Chairman 
Boucher, Ranking Members Stearns and Radanovich — as well as Chairman Waxman and 
Ranking Member Joe Barton, Mr. Markey and others — to build up these initial proposals, and to 
work with industry, academic experts, and other stakeholders to develop legislation that is 
grounded in Fair Information Practices. 

Among the key elements of a revised bill is a framework focused on overall data minimization. 
Today, anyone who knows the online and offline data collection industry will tell you the focus 
is on data maximization. “Every move you make,” as the lyrics of the Police song go, could be 
the data collection industry theme song, as we are all being watched, compiled, analyzed and 
then acted upon. While tools involving opt-in and safe harbors, for example, provide greater 
control by a consumer, they do not constrain the dramatic and far-reaching growth of online and 
offline data collection for personalized and interactive targeting. Although the bill offered by 
Chairman Rush incorporates a key section on data minimization, we believe that the overall 
legislation should focus on mandating that less data be collected wherever possible. The online 
and data collection industry should not be permitted to engage, as they are, in an unchecked data 
“arms race.” Digital data detente is required, with a system based on minimal data collection, 
complete transparency, consumer control and redress, and federal, state and private rights of 
enforcement. 

OTHER BACKGROUND SECTIONS 
Attachments: 

Appendix 1: The Need For Privacy Protection To Be Based On The Fair Information 
Practices (Page 12) 

Appendix 2: Interactive Advertising Data Collection Examples (3 pages, Pages 13-15) 
Appendix 3; A Marketer's Guide to Understanding the Economics of Digital...2009, AAAA. 
(Page 16). 


Teracent, “Advertiser Solutions,” httn ://www.teracenLcom.''a<ivertiser-soluti ons/ (viewed 20 July 2010), 
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Appendix 1: The Need For Privacy Protection To Be Based On The Fair Information 
Practices 

In 1973, a task force was formed at the U.S. Dept, of Hedth, Education and Welfare (HEW) to look at the impact of 
computerization on medical records privacy. The members wanted to develop policies that would allow the benefits 
of computerization to go forward, but at the same time provide safeguards for personal privacy. 

The task force developed a Code of Fair Information Pr^tices, consisting of five clauses: openness, disclosure, 
secondary use, correction, and security. At the same time, Sweden enacted a law that codified many of the same fair 
information principles formulated by the HEW. 

In the ensuing years, other European countries enacted similar omnibus data protection laws. And in 1980, the 
Organization of Economic Cooperation and Development (OECD), an Internationa! body based in Paris, adopted the 
"Guidelines on the Protection of Privacy and Transborder Flows of Personal Data." 

In general, consumer and privacy organizations consider the OECD Guidelines to be the most robust version of the 
Fair Information Practices. Many industiy self-regulatory organizations have adopted notice and choice regimes 
that, at best, amount to “FIPs-Lite” and at worst to bureaucracy without privacy protection. For the record, the 
OECD Guidelines are listed below. 


Privacy Guidelines 

Organization of Economic Cooperation and Development, 1980 

From "Guidelines on the Protection of Privacy and Transborder Flows of Personal Data," OECD, 1980.'^ 

Collection Umitation. There should be limits to the collection of personal data and any such data should be 
obtained by lawfol and fair means and, where appropriate, with the knowledge or consent of the data subject. 

Data quality principle. Personal data should be relevant to the purposes for which they are to be used, emd, to the 
extent necessary for those purposes, should be accurate, complete and kept up-to-date. 

Purpose specification. The purposes for which persona! data are collected should be specified not later than at the 
time of data collection and the subsequent use limited to the fulfillment of those purposes or such others as are not 
incompatible with those purposes and as are specified on each occasion of change of purpose. 

Use limitation principle. Personal data should not be disclosed, made available or otherwise used for purposes 
other than those specified in accordance with Paragraph 9 [Purpose specification] except: 

(a) with the consent of the data subject; or 

(b) by the authority of law. 

Security safeguards principle. Personal data should be protected by reasonable security safeguards against such 
risks as loss or unauthorized access, desh'uction, use, modification or disclosure of data. 

Openness principle. There should be a general policy of openness about developments, practices and policies with 
respect to personal data. Means should be readily available of establishing the existence and nature of personal data, 
and the main purposes of their use, as well as the identity about usual residence of the data controller. 

Individual participation principle. An individual should have the right; 

(a) to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating 
to him; 

(b) to have communicated to him, data relating to him 

1 . within a reasonable time; 2. at a charge, if any, that is not excessive; 3. in a reasonable manner; and 4. in a form 
that is readily intelligible to him; 

( c) to be given reasons if a request made under subparagraphs (a) £md (b) is denied, and to be able to challenge such 
denial; and 

(d) to challenge data relating to him and, if the challenge is successful, to have the data erased; rectified, completed 
or amended. 

Accountability principle. A data controller should be accounteble for complying with measures which give effect 
to the principles stated above. 


Available at hftp://bjt.Iv/coc5sq (last visited 10 July 2010). 
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Appendix 2; Interactive Advertising Data Collection Examples*^ 

1. Consumer tracking online; 

As Yahoo’s online ad auction service Right Media explains in a “primer” for data providers: 
“Data providers are changing the advertising landscape by focusing on who sees ads rather than 
where ads appear. Here is how it works: When consumers go to certain web sites, the page 
places a tag (or ‘cookie’) within the browser — ^tracking that a particular browser visited a 
particular site. In some cases, a data provider (which can also be described as a data ‘collector’) 
pays the web site for the ability to do this. The cookie enables the data provider to follow 
consumers and track their online ‘behavior.’” 

2. New York Times description of real-time ad-bidding process: 

“Now, companies like Google, Yahoo and Microsoft let advertisers buy ads in the milliseconds 
between the time someone enters a site’s Web address and the moment the page appears. The 
technology, called real-time bidding, allows advertisers to examine site visitors one by one and 
bid to serve them ads almost instantly.,,. Using data providers like BlueKai or eXelate, 
AppNexus can add infonnation about what a person has been doing online. ‘It’s a lot about being 
able to get the right users, but it’s also about passing on certain instances where we don’t think 
you’re in the market, based on what you’ve been doing in the past hour,’ Mr. Ackley [vice 
president for Internet marketing and advertising at eBay] said.... Until the arrival of real-time 
bidding, said Mr. Mohan of Google, ‘the technology hasn’t really been there to deliver on the 
promise of precise optimization, delivering the right message to the right audience at the right 
time’ in the display world.” 

3. Online tracking now combined with offline databases to create detailed profiles: 

“Digital-marketing companies are rapidly moving to blend information about consumers’ Web- 
surfmg behavior with reams of other personal data available offline, seeking to make it easier for 
online advertisers to reach their target audiences.... eXelate will tie its data on more than 150 
million Internet users to Nielsen’s database, which includes information on 115 million 
American households, to provide more-detailed profiles of consumers. ‘We can build [consumer] 
profiles from any building blocks,’ says Meir Zohar, chief executive of eXelate. . .. ‘Age, gender, 
purchase intent, interests, parents, bargain shoppers — ^you can assemble anything,”’ eXelate 
“gathers online consumer data through deals with hundreds of Web sites. The firm determines a 
consumer’s age, sex, ethnicity, marital status and profession by scouring Web-site registration 
data. It pinpoints, for example, which consumers are in the market to buy a car or are fitness 
buffs, based on their Internet searches and the sites they frequent. It gathers and stores the 
information using tracking cookies, or small strings of data that are placed on the hard drive of a 
consumer’s computer when that consumer visits a participating site. Advertisers, in turn. 


” These examples are derived from Center for Digital Democracy, U.S. PIRG et al complaints to 
the Federal Trade Commission on Online Marketing, See April 2010, Complaint - Real-time 
Targeting & Auctioning, Data Profiling, Optimization, And Economic Loss To Consumers & 
Privacy (available at http://www.democraticmedia.org/files/ul/20100407-FTCfiling,pdf ) and 
also January 2009, Complaint and Request for Inquiry and Injunctive Relief Concerning Unfair 
and Deceptive Mobile Marketing Practices (available at 

http://www.democraticmedia.org.'files/FTCmobile comDlaintOlOO.Ddf l for our most recent 
filings. 
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purchase cookie data from eXelate and use it to buy targeted online ads.” eXelate’s recent 
agreement with Nielsen will “will allow advertisers to go to eXelate to buy New York-based 
Nielsen’s trove of data converted to a cookie-based digital format. That data comes from sources 
including the Census Bureau, the firm’s own research and that of other consumer-research firms, 
such as Mediamark Research and Experian Simmons.” 

4. Ad exchange targeting involves such sensitive areas as health and finance; 

Google’s Doubleclick Ad Exchange permits the targeting of a wide range of health and financial 
behaviors. These include arthritis, diabetes, GERD and digestive disorders, migraines, sleep 
disorders, pain management, credit cards, loans and insurance. 

5. Social Media marketing includes online discussions of personal health: 

Social media marketing is a recent form of interactive advertising that takes advantage of a 
person's social relationships online — ^their so-called social graph — with brands and other 
advertising. Through various techniques and technologies, companies monitor consumer 
conversations about a product or medical condition, often covertly. Heartbeat Digital's 
BuzzScape, for example, “allows clients to monitor discussions that flow' in and out of the tens of 
thousands of message boards, forums, blogs and social networks that increasingly dominate the 
online environment, 'We translate 'buzz' into ROl,' said Bill Drummy, chairman and CEO of 
Heartbeat. 'In a sense, we eavesdrop on public conversations among people with a shared 
interest, then use what we learn to create interactive marketing campaigns that address the 
identified needs, wants and gaps in knowledge of target audiences.'" 

6. Even on so-called “opt-in” sites that require registration, consumers may not be fully 
aware of the amount and range of personal information that they are sharing with third 
parties: 

PatientsLikeMe offers a new service, PatientsLikeMeListen, to its industry partners. In addition 
to giving pharmaceutical companies "unprecedented insight on how your brand is perceived," the 
monitoring service also provides startling amounts of personal data about the online conversants, 
including gender, age, time on treatment, time since diagnosis, disease progression, disease type, 
symptomology, longitudinal variation, and supporting therapies. As Razorfish's Debrianna 
Obara explains, "Sites such as Yahoo!, EverydayHealth and MSN are able to segment their 
audience differently. Since most of their users have created accurate profiles of themselves when 
they register with a site (including birth year, number of children in household, zip code, and 
ailments in the household), these sites can create packages for advertisers comprised only of 
people that fit the desired audience profile. 

7. Mobile marketing poses new threats to consumer privacy: 

Mobile devices, which know our location and other intimate details of our lives, are being turned 
into portable behavioral tracking and targeting tools that consumers unwittingly take with them 
wherever they go. Bango’s Sarah Keefe notes how online marketers will be able to update 
profile-based mobile targeting in real time: “Marketers can. ..compile an accurate and rich 
understanding of their target consumer’s profile. With this data jackpot, marketers can target 
messages to the right audience in the right geographic location. Also, real time data allows 
campaigns to be tweaked and refined to ensure success and optimize the marketing 
investment. ... It’s a brave new mobile marketing world out there and the wealth of data and 
analytics capabilities that are part of the new landscape eliminate the risk of Jumping right in. 
Why wait?” As Mobixel reveals in its product literature, “the opportunity to reach a large 
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captive audience” through mobile advertising is “extremely enticing,” because “the mobile 
phone offers focused demographic, behavioral and contextual targeting and immediate 
engagement.” Using these capabilities, its Mobixel Ad-It service provides the tools for mobile 
network operators to “gather, quantify and analyze” a wide range of information about 
subscribers, including “demographic details, service profiles, behavioral patterns, as well as the 
real-time context of services, location and device and network capabilities. ... It then uses this 
information, in real time, to make complex targeting decisions” on behalf of advertisers. 

8. Location-based targeting adds a new threat to consumer privacy: 

If behavioral targeting is a potent force in interactive advertising, the mobile marketplace 
increases the power of such targeting still further by pinpointing the precise location where 
various consumer behaviors take place. In the past, of course, marketers could determine the 
approximate location of mobile device users through a complex system of triangulation. But the 
latest generation of cellular phones, which are increasingly equipped with sophisticated global 
positioning capabilities, are taking all of the guesswork out of location-based targeting. Utilizing 
these advances in GPS technology, marketers can now determine the precise location of mobile 
users — within three feet. As Ad Age noted, “Context-based banner ads now morph into GPS 
locators for the closest product from the user’s current location. Ads can initiate calls or purchase 
DVDs for instant viewing. Ads can incorporate audio, video and web browsing, and can also 
direct users to the iPhone App Store or iTunes.” 

9. Online “lead generation” in financial services: 

The role of online lead generation (so-called “trigger leads”) and the use of behavioral targeting 
for mortgages and other loans represent a potentially critical threat to the privacy of digital 
consumers, whose data are used without their clear understanding, let alone control, of such 
surveillance. For example, Lightspeed Research promises marketers a “full wallet view across 
customers’ many financial services relationships,” providing “unparalleled insight into 
consumers’ use of credit, debit, banking and alternative payment products. We passively gather 
information from their financial accounts and merge it with third-party behavioral datasets, 
survey-based altitudinal insights, and industry expertise.” 
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Mr. Rush. Thank you. Mr. Rubinstein, you are recognized for 5 
minutes. 


TESTIMONY OF IRA RUBINSTEIN 

Mr. Rubinstein. Mr. Chairman, Ranking Member Whitfield, and 
members of the Subcommittee, thank you for the opportunity to 
testify today. My name is Ira Rubinstein and I am an adjunct pro- 
fessor at NYU School of Law. This afternoon I will focus my com- 
ments specifically on a key question in Congressional efforts to reg- 
ulate privacy. What is the relationship between privacy legislation 
and industry self-regulation and the role and effectiveness of safe 
harbor provisions in promoting self-regulation? 

A safe harbor is a familiar legislative device intended to shield 
or reward firms if they engage in desirable behavior as defined by 
statute. In the privacy arena the most familiar example is the Chil- 
dren’s Online Privacy Protection Act. Over the past decade COPPA 
safe harbor programs have met with success mainly in terms of 
complimenting FTC’s own enforcement efforts. But the program 
has two main shortcomings, weak incentives, and a low rate of par- 
ticipation. Only about 100 firms have joined. In my written testi- 
mony I propose several ways in which Congress might improve 
upon the COPPA safe harbor by adopting a more co-regulatory ap- 
proach in which industry enjoys greater scope in shaping self-regu- 
latory guidelines while government sets default requirements and 
retains general oversight authority to improve — approve and en- 
force such guidelines. 

A co-regulatory approach relies on both sticks and carrots as in- 
centives. Sticks for non-participating firms might include a private 
right of action, broader opt-in requirements, external and inde- 
pendent audits of regulatory compliance and much stricter require- 
ments for online behavioral advertising. Carrots, on the other 
hand, might include not only exemptions from private actions for 
safe harbor participants, but also cost saving such as compliance 
reviews based on self-assessments rather than external audits, gov- 
ernment recognition of better performing firms, and regulatory 
flexibility in the form of tailored requirements addressed to specific 
sectors or business models. 

In proposing this new approach to privacy safe harbors it bears 
emphasizing that safe harbor benefits should be limited to firms 
demonstrating superior performance and would not be available to 
other firms that merely satisfy the fault statutory requirements. In 
other words, the safe harbor would only benefit firms that meet 
high performance standards based on, for example, sound data gov- 
ernance practices such as appointing a chief privacy officer who is 
accountable for setting privacy protection policy and standards; ad- 
vanced privacy methodologies such as use of development guide- 
lines for building privacy protection into products or services, also 
called privacy by design as Mr. Hoffman mentioned; and other Best 
Practices such as privacy training for relevant staff and online 
guidance on privacy and security for other employees and for con- 
sumers. 

In closing I want to emphasize that this new approach to privacy 
safe harbor should not be confused with existing self-regulatory 
schemes in which industry alone develops and then oversees the 
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privacy code of conduct. Rather, in a privacy safe harbor as envi- 
sioned here, the government sets default requirements and rel- 
evant standards and practices emerge from a multi-stakeholder 
process in which both advocacy groups and members of the public 
have an opportunity to participate. This requires that interested 
parties engage in difficult and perhaps protracted negotiations and 
keep talking with each other until they forge a rough consensus. 

One way to insure public participation is negotiated rule making, 
a statutorily defined process by which agencies formally negotiate 
rules with regulated industries and other stakeholders as an alter- 
native to conventional rule making. An alternative approach would 
be to modify the safe harbor approval process by requiring that 
program sponsors engage in a public consultation and report on 
these consultations in their applications. 

I will conclude by offering three recommendations which I am 
happy to elaborate upon during this hearing. First, Confess needs 
to enact comprehensive privacy legislation incorporating robust 
Fair Information Practices. Second, this legislation should include 
a safe harbor program based on a co-regulatory approach as de- 
scribed above. Finally, this safe harbor program should include 
strong performance standards based on data governance, advance 
privacy methodologies, and other Best Practices, and it should also 
require public consultation as part of the safe harbor approval 
process. 

The two bills being considered today represent important first 
steps in developing this new approach to safe harbors, but should 
be expanded as discussed above. I want to thank you again for this 
opportunity to testify. I will be pleased to answer your questions 
and would be happy to provide any further assistance. 

[The prepared statement of Mr. Rubinstein follows:] 
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Mr. Chairman and Members of the Committee, thank you for the opportunity to testify 
today on H.R. 5777, the BEST PRACTICES Act, and the Boucher-Stearns discussion draft. My 
name is Ira Rubinstein and I am Adjunct Professor at New York University School of Law and a 
Senior Fellow at the Information Law Institute. I am grateful for the opportunity to appear 
before the Committee this afternoon and also for your efforts in developing comprehensive 
legislation that responds to growing public concern over privacy in the digital era. 

I will focus my comments specifically on a key question in Congress' longstanding effort 
to regulate online privacy— what is the relationship between privacy legislation and industry 
self-regulation? To what extent should Congress encourage self-regulation by allowing 
alternative forms of compliance based on "safe harbor" provisions? Have existing safe harbor 
programs achieved their goals and, if not, how might they be changed to make them more 
effective? 

Background: What is a Safe Harbor? 

To answer these questions, I first need to say a few words about how safe harbors work, 
in theory and in practice. A safe harbor is a regulatory strategy under which a federal statute 
recognizes differences in industry performance explicitly by treating regulated firms who qualify 
more favorably than non-qualifying firms. In other words, safe harbors shield or reward firms if 
they engage in desirable behavior as defined by statute. Favorable treatment for better 
performing firms might include immunity from liability, protection from certain penalties. 
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exemptions from certain requirements, and/or permission to engage in certain desired 
behaviors. The key point to emphasize is that eligibility for the benefits conferred by a safe 
harbor are contingent upon a participating firm meeting a higher standard of performance than 
what is otherwise required of firms covered by the relevant statute. 

In the privacy arena, the most familiar example of a safe harbor is the Children's Online 
Privacy Protection Act (COPPA). Section 5503 of this Act establishes an alternative means of 
compliance for operators that follow self-regulatory guidelines issued by an industry 
representative and approved by the Federal Trade Commission (FTC), subject to a notice and 
comment procedure. The COPPA safe harbor seeks to facilitate industry self-regulation in two 
ways; first, by granting enforcement-related benefits (operators that comply with approved 
seif-regulatory guidelines are deemed to be in compliance with the law); and, second, by 
allowing greater flexibility in the development of self-regulatory guidelines in a manner that 
takes into account industry-specific concerns and technological developments. FTC approval of 
a COPPA safe harbor program turns on whether self-regulatory guidelines (1) meet or exceed 
statutory requirements; (2) include an effective, mandatory mechanism for the independent 
assessment of compliance with the guidelines (such as random or periodic review of privacy 
practices conducted by a seal program or third-party); and (3) contain effective incentives to 
ensure compliance with the guidelines (such as mandatory public reporting of disciplinary 
actions, consumer redress, voluntary payments to the government, or referral of violators to 
the FTC). 

In practice, the COPPA safe harbor programs have met with success mainly in terms of 
complementing FTC's own enforcement efforts.* But the COPPA safe harbor also suffers from 
two serious shortcomings: First, a very low rate of participation (presumably because deemed 
compliance is not a strong enough incentive to persuade many firms to bear the costs of joining 
a safe harbor program and abiding by its guidelines when they have to comply with all but 
identical statutory requirements in any case);^ and, second, a lack of regulatory flexibility (all of 
the approved self-regulatory programs have nearly identical requirements to those of the 
COPPA statute). 


‘ See FTC, IMPLEMENTING THE CHILDREN'S ONLINE PRIVACY PROTECTION ACT: A FEDERAL TRADE 
COMMISSION REPORT TO CONGRESS (2007) 24; see also Ira S. Rubinstein, Privacy and Regulatory Innovation: 
Moving Beyond Voluntary Codes, I/S: A JOURNAL OF UW AND POLICY FOR THE INFORMATION SOCIETY 
(forthcoming Winter 2011), 22-23 available at http://oapers.ssrn.cQm/sol3/Dapers.cfm?abstract id=1510275 
(describing the success of the CARU safe harbor program, which over an eight year period investigated and 
successfuily resolved almost 200 cases). 

^ See Rubinstein, Privacy and Regulatory Innovation: Moving Beyond Voluntary Codes, 20-23 (noting that 
fewer than 100 firms have been certified under approved COPPA safe harbor programs). 
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One way to build on the success of the COPPAsafe harbor programs while overcoming 
these two shortcoming would to adopt a more "co-regulatory" approach to privacy legislation, 
one in which industry enjoys greater scope in shaping self-regulatory guidelines, while 
government sets default requirements and retains general oversight authority to approve and 
enforce such guidelines. This approach envisions a more collaborative, flexible and 
performance-based model of self-regulation and explicitly draws on critical insights from 
environmental regulation.^ 

As noted above, COPPA safe harbor participants are subject to self-regulatory guidelines 
that are nearly identical to statutory requirements. Their incentives for joining are limited to 
deemed compliance and a largely empty promise of regulatory flexibility. In other words, 
COPPA failed in its efforts to treat safe harbor participants more favorably than other covered 
entities. In contrast, a co-regulatory approach would more effectively use both sticks and 
carrots as incentives. In the environmental setting, for example, sticks typically include a threat 
of stricter regulations or imposition of higher pollution fees, whereas carrots might take the 
form of more flexible regulations, recognition of better performance by the government, and 
cost-savings such as exemptions from mandatory reporting or easier and quicker permitting."* 
Firms that demonstrate high performance avoid these sticks and/or enjoy these carrots. How 
would this approach translate into the privacy arena and why it might attract industry support 
at much higher rates than that of the COPPA safe harbor programs? 

A New Approach to Privacy Safe Harbors 

Over the years, many advocacy groups and privacy scholars have favored a private right 
of action and liquidated damages as enforcement mechanisms in any new privacy legislation. 
Not surprisingly, industry has argued that such remedies are both unnecessary and ineffective. 
This suggests that an excellent stick might be devised around a tiered liability system. Under 
this new approach, privacy legislation would allow civil actions and liquidated damages awards 
against firms that engaged in prohibited practices and did not participate in an approved safe 
harbor program. In sharp contrast, compliance with approved self-regulatory guidelines would 
not only serve as a safe harbor in any enforcement action but exempt program participants 
from civil law suits and monetary penalties. Other sticks for non-participating firms might 
include broader opt-in requirements; external and independent audits of regulatory compliance 
and mandatory reporting to the FTC; and much stricter requirements for firms engaged in 
online behavioral advertising such as a total ban on the use of sensitive information in 
behavioral targeting and a data retention limit of one month. 


’ Id. at 28-36. 
"* Id. at 23 
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In addition to these sticks, privacy legislation might also offer safe harbor participants a 
number of carrots including exemptions from civil actions and liquidated damages; cost-savings 
such as compliance reviews based on self-assessments rather than external audits by an 
independent third-party; government recognition of better performing firms (e.g., an FTC "seal 
of approval" under which firms that meet safe harbor requirements are duly recognized); 
government procurement preferences for the products or services of participating firms 
{including perhaps contracts for cloud computing services); and regulatory flexibility In the 
form of tailored requirements addressed to specific business models such as online behavioral 
advertising (e.g., relaxed notice and consent and/or data retention requirements for firms that 
engage in practices similar to those described in Section 3{e) of the Boucher bill). 

In summarizing this new approach to privacy safe harbors, it bears repeating that safe 
harbor benefits would be limited to firms demonstrating superior performance and would not 
be available to other covered entities that merely satisfy default statutory requirements. In 
other words, a safe harbor provides incentives, in the form of sticks and carrots, but only to 
firms that meet higher performance standards based on data governance principles, advanced 
privacy methodologies, and best practices. What might such standards look like? 

Data governance may be defined as "a system of decision rights and accountabilities for 
information-related processes, executed according to agreed-upon models which describe who 
can take what actions with what information, and when, under what circumstances, using what 
methods."® A good example of a data governance practice is appointing an individual (such as a 
Chief Privacy Officer) with overall responsibility for setting privacy protection policy and 
standards within a firm, managing risks and impacts of privacy-affecting decisions, publicizing 
within the company who has authority and accountability for governance decisions, and 
creating reporting mechanisms for both internal and external stakeholders about the status 
within the organization of such policy and standards. 

Advance privacy methodologies include development guidelines for building privacy 
protection into any product or service that uses personal data. This process— which is 
sometimes referred to as "Privacy by Design"— implies that before releasing a new product or 
service, firms identify and address privacy issues using well-established techniques including 
data minimization, anonymization, access controls, and encryption and other security 
measures; create a privacy statement describing how personal data will be handled in response 


^ See Data Governance Inst., Defining Data Governance, available at 
ht tD://wvvw.d ataaov ernance.com/gbg delinine govemance.html . 
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to identified privacy concerns; and otherwise protect consumers' privacy by applying all 
relevant aspects of a robust set of Fair Information Practices (FIPs).® 

Finally, industry-wide best practices include mandatory privacy training for all staff with 
privacy responsibilities, providing online guidance on privacy and security issues to employees 
and consumers, and implementing a complaint-handling procedure. Both of the bills under 
consideration today require safe harbor participants to adopt best practices, (in Section 3(e) of 
the Boucher-Stearns draft bill, however, the safe harbor provision is limited to online 
advertising firms; hence the focus instead is on industry-specific best practices.) 

It is important to note that this is a very partial list of relevant performance standards. A 
more comprehensive list of potential standards is available in the previously mentioned article.^ 

Public Consultation Requirement 

in thinking about this new approach to privacy safe harbors, two additional caveats are 
necessary; First, unlike previous or existing self-regulatory schemes, it would not suffice for 
industry alone to develop the relevant privacy performance standards or best practices. Rather, 
such standards must emerge from a multi-stakeholder process in which both advocacy groups 
and members of the public have an opportunity to participate. This requires that interested 
parties engage in difficult and perhaps protracted negotiations, and stay at the table until a 
consensus is forged.® Second, the government must reserve the final decision on whether the 
performance standards or best practices achieve a high enough level of privacy protection to 
warrant the granting of any proposed safe harbor benefits. 

The COPPA safe harbor relies on a notice and comment procedure to approve proposed 
self-regulatory guidelines, but it is worth considering two alternative options that meet both of 
the above caveats. The first is negotiated rulemaking, a statutorily defined process by which 
agencies formally negotiate rules with regulated industry and other stakeholders as an 
alternative to conventional, notice and comment rulemaking.® In theory, negotiated rulemaking 


' See, e.g., U.S. Department of Homeland Security, Privacy Policy Guidance Memorandum, The Fair 
Information Practice Principles: Framework for Privacy Policy at the Department of Homeland Security (Dec. 2008), 
available at http://www.dhs.eov/xlibrarv/assets/privacv/privacv policvguide 20Q8-01.pdf (identifying eight 
principles: transparency, individual participation, purpose specification, data minimization, use limitation, data 
quality and integrity, security, accountabiiity and auditing). 

^ See Rubinstein, Privacy and Regulatory Innovation; Moving Beyond Voluntary Codes, 49-50. 

® This may seem impracticable, but three leading Internet firms recently partnered with a diverse group of 
non-governmental actors in a voluntary effort to negotiate free speech and privacy principle. After eighteen 
months of work, this multi-stakeholder group reached agreement and launched the Global Network Initiative 
(GN(), jointly committing to a set of principles and implementation guidelines as well as an accountability system 
based on independent, third-party assessments. For the GNI's three core commitment documents, see 
http://www.giQbalnetworkinitiative.ore/index.Dhp . 

* See the Negotiated Rulemaking Act of 1990, codified as amended at 5 U.S.C. §§ 561-570. 
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reduces cost and other regulatory burdens by developing alternative or innovative means of 
compliance not permitted under a statute's default requirements, thereby allowing industry 
more flexibility as to the timing of compliance investments, and reducing regulatory 
uncertainty. The incentives for regulators and advocacy groups to support this approach include 
the prospects of a higher level of benefits than would have been obtained, as a practical 
matter, under the standard default requirements.*” 

Negotiated rulemaking is most likely to succeed when two additional conditions are 
present: First, the regulatory agency should understand the industry and the issues well enough 
to have formulated a broad view of what a good regulatory solution should look like but it 
should not be wedded to a particular substantive outcome. Second, the substance of the 
regulation should require the credible transmission of information between the regulated 
entities and other interest groups-i.e., industry should possess unique knowledge and 
expertise such that it is in the best position to understand how regulation will affect its 
activities. Hence, industry cooperation is needed to ensure a satisfactory regulatory outcome. 

Arguably, the present case satisfies both of these conditions. On the one hand, the FTC 
is very knowledgeable regarding online privacy but is not yet locked-in to any one approach. On 
the other, Internet firms (including network advertising firms) undoubtedly possesses greater 
expertise and insight into the complex technology and evolving business models underlying the 
digital world than either privacy advocates or FTC staff. In the past, this information has been 
shared or elicited mostly through one-sided communications— unilateral industry codes of 
conduct; complaints filed with the FTC; or charges and countercharges at public forums. In a 
(successful) negotiated rulemaking process, however, the parties have an incentive to educate 
each other, pool knowledge, and cooperate in problem solving. 

That said, negotiated rulemaking is not always appropriate and imposes heavy burdens 
on participants in terms of time and other resources. With these burdens in mind— and 
especially their impact on the FTC's relatively small Division of Privacy and Identity Protection — 
i would like to propose an alternative to negotiated rulemaking that both addresses potential 
resource concerns while ensuring that the safe harbor approval process establishes a role for 
advocacy groups and the public. 

In a nutshell, this second alternative consists in a two-step process for approving privacy 
safe harbors. In Step 1, safe harbor program sponsors would have to submit to the FTC a short 
initial proposal showing that they have met statutorily defined criteria (see below). FTC would 


See Rubinstein, Privacy and Regulatory Innovation: Moving Beyond Voluntary Codes, pp. 44-46. 
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then have 45 days to conduct a fairly perfunctory review designed to determine if these criteria 
were met. if not, FTC would issue a preliminary denial and the sponsor would have to wait 
twelve months from the FTC decision before submitting a revised proposal; if so, FTC would 
issue a preliminary approval and the sponsor would then proceed to Step 2. The criteria for 
approving an initial proposal might include the following: 

• The sponsor is representative of an industry sector, (This is intended to discourage 
applications from firms that wish to sponsor a safe harbor program merely as part of a 
business plan, rather than due to their industry role or subject matter expertise); 

• The sponsor has industry support as indicated by endorsements from leading members 
of the industry (defined in terms of size, revenue, influence, etc.); 

• The sponsor's proposed program advances broad goals such as consumer protection, 
cost savings, and innovation; 

• The sponsor has drafted self-regulatory guidelines addressing all of the core statutory 
requirements of a safe harbor program.” 

Upon approval of an initial proposal, the sponsor would then have up to 180 days to 
submit a more detailed application for approval, which FTC would review and approve within 
180 days using a conventional rulemaking process. Step 2 would require the sponsor to submit 
a more comprehensive program description demonstrating that the program meets or exceeds 
all relevant safe harbor requirements. In addition, the sponsor would have to show that it 
continues to have substantial industry support (e.g., by listing the names of the firms that have 
expressed an interest, in writing, in participating in the program) and that it has engaged in 
stakeholder consultation, This would require the sponsor to include in its formal application a 
statement describing who is affected by the proposed safe harbor guidelines, efforts it has 
taken to consult with affected groups (including consumer or advocacy groups), changes to the 
proposed safe harbor guidelines resulting from these consultations (if any), a summary of any 
issues that remain unresolved and why (including any concerns raised by the FTC), and that the 
public consultation remained open for at least 60 days.” 


“ This assumes that FTC would engage in a rulemaking procedure defining industry representation, 
consumer benefits, cost savings, and innovation. 

“ The Network Advertising Initiative recently engaged in a public consultation along these lines when it 
released a draft update to its original NAI Principles, solicited public comments on the proposed changes, and 
published both the comments and its responses. See NAI, NAI PRINCIPLES 2008: THE NETWORK ADVERTISING 
INITIATIVE'S SELF-REGUWTORY CODE OF CONDUCT FOR ONLINE BEHAVIORAL ADVERTISING (Apr. 2008), available 
at httD://networkadvertisine.ore/networks/NAI Principles 2008 Draft for Public.odf . Under the process 
described in the text, however, FTC would retain final approval authority if it decided the NAI guidelines were 
inadequate notwithstanding a satisfactory public consultation. 
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step 1 of this alternative process is meant to discourage the submission of weak 
applications by entities lacking industry expertise or support. It also dispenses with the need for 
FTC to work with sponsors on improving inadequately designed programs.*^ FTC would review 
the initial proposal mainly to ensure that it is approvable subject to meeting the more formal 
requirements of Step 2. But if the program is inadequate on its face, FTC would simply deny the 
initial application and impose the 12-month waiting period. Step 2 requires industry to reach a 
rough consensus with advocacy groups and respond to any major concerns or to explain why 
this is infeasible. Although FTC is not required to approve a program merely because industry 
demonstrates good faith efforts in the consultation process, the idea is that by requiring a 
rough consensus, the consultation process will result in better quality guidelines with greater 
legitimacy for everyone involved. The overall goal is to ensure that FTC devotes its limited 
resources to reviewing programs that have already demonstrated a high likelihood of success. 

Comments on the Safe Harbor Provisions of the Two Bills Now Under Consideration 

When Congress last seriously considered online privacy legislation about ten years ago, 
bills introduced by Reps. Markey, Sens. Burns and Widen, Rep. Stearns, and Sen. Holiings 
provided for a comprehensive, self-regulatory safe harbor modeled on COPPA.^"' Like these 
earlier bills, both of the bills under consideration today include safe harbors but of very 
different scope and import. Section 3(e) of the Boucher bill creates a limited safe harbor for 
advertising networks that track online behavior. It exempts these networks from having to 
obtain explicit, opt-in consent provided they allow consumers to access and manage their 
profiles.'® A coalition of consumer groups has objected to this provision on the grounds that it 
relies on the discredited notice-and-choice model, which they consider ineffective for ensuring 


” The privacy safe harbor might also include a provision encouraging or requiring FTC to convene a 
privacy workshop at least once every 5 years, where it would consider recent developments in privacy and 
technology and to issue a report on how best to improve privacy regulation. One goat of these workshops (which 
would resemble the most recent FTC Privacy Roundtables) would be to identify industry sectors that are "ready" 
for safe harbor programs, thereby encouraging such groups to submit Initial proposals. 

See the Electronic Privacy Biit of Rights Act of 1999, H.R.3321, 106*'' Cong. § 4 (1999); the Online Privacy 
Protection Act of 1999, S. 809, 106*'’ Cong. § 3 (1999); Consumer Privacy Protection Act of 2002, H.R, 4678, 10?"' 
Cong. §106 (2002); the Online Personal Privacy Act, S. 2201, 107''' Cong. § 203 (2002). 

More specifically, the requirements for "individual managed preference profiles" under Section 3fe) are 
as follows: (1) users must be provided with a readily accessible opt-out mechanism whereby the opt-out choice of 
the individual is preserved and protected from incidental or accidental deletion; (2) firm must delete or render 
anonymous any covered information not later than 18 months after the date the covered information Is first 
collected; (3) firms must place a symbol or seal in a prominent location on both its website and on or near any ads 
it delivers based on a user's preference profile that enables an individual to connect to additional information 
regarding advertising practices and allows individuals to review and modify, or completely opt out of having, a 
preference profile created and maintained by the firm or a an ad network; and (4) any ad network to which a firm 
discloses covered information must avoid further disclosure to any other entity except with the user's express 
affirmative consent. 
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online privacyl® In my view, the more fundamental problem with this approach is its 
narrowness and inflexibility. Section 3(e) enshrines a single program already adopted by several 
companies engaged in targeted advertising (including Google and Yahoo, both of whom already 
allow users to access and revise their profiles). But the Boucher bill lacks a more general safe 
harbor provision that would encourage other companies (and other sectors) to offer innovative 
privacy protections or adopt industry-specific best practices. 

In contrast, Title V of the Rush bill provides a full-fledged safe harbor under which any 
self-regulatory program (referred to as a "Choice Program") may qualify for certain exemptions 
provided the programs meet the following five requirements: 

• A "universal" opt-out mechanism and preference management tool that applies 
an individual's choices to all firms participating in the Choice Program; 

• Guidelines and procedures that offer equivalent or greater protections than 
those required in Title I (transparency, notice and individual choice) and Title II 
(accuracy, access and dispute resolution); 

• Approval procedures for participating firms; 

• Procedures for periodic self-assessment and random compliance testing; and 

• Consequences for failure to comply with program requirements. 

Firms that participate in and comply with an approved Choice Program meeting these 
requirements are exempted from (1) the express affirmative consent requirements under 
subsection 104(a); (2) the access requirement under section 202(b); and (3) liability in a private 
right of action brought under section 604. 

In my opinion, the Choice Program is preferable to the limited exemption for individual 
managed preference profiles for several reasons. First, and obviously, it is more comprehensive 
and therefore allows companies in any sector to develop innovative privacy protections or 
adopt industry-specific best practices. Second, it relies on a good mix of carrots and sticks 
including tiered liability. However, in order to meet the basic test of any safe harbor-which is 
that program participants are entitled to better treatment based on superior performance-the 
Choice Program needs strengthening in several areas. To begin with, it needs to clarify that 
safe harbor approval depends on compliance not only with Titles I and II but also with Title III 
(security, data minimization and accountability). I would also support the addition of several 
new elements to the list of requirements for self-regulatory programs including (a) procedures 
for handling and reporting on consumer complaints; and (bj guidelines for requiring 

“ See Letter from Jeff Chester, Center for Digital Democracy, et at., to Reps. Rick Boucher and Cliff Stearns 
(June 4, 2010), available at httci://www.demQcraticmedia.ore/files/ul/2010-06-letter-to-boucher.pdf . 
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participating firms to build privacy protection into their products or services using "privacy by 
design" or related methods and techniques. 

Recommendations and Conclusion 

First, Congress needs to enact comprehensive privacy legislation incorporating the full 
range of Fair Information Practices. 

Second, this legislation should include a broad-based safe harbor program based on a 
co-regulatory approach that provides flexibility to industry in shaping self-reguiatory guidelines 
in exchange for superior performance, while ensuring that the FTC retains general oversight 
authority to approve and enforce such guidelines. 

Finally, this safe harbor program should be amended to include a complaint handling 
process and privacy by design requirement; it should also require public consultation as part of 
the safe harbor approval process, which might consist in negotiated rulemaking or the two-step 
application process as described above. 

Section 3(e) of the Boucher-Stearns discussion draft and the Choice Program as set out 
in Title IV of H, R. 5777 are important first steps in developing a new approach to safe harbors 
but should be expanded in various ways as discussed above. 

I want to thank you again for the opportunity to appear before the Committee today. I 
will be pleased to answer your questions and would be happy to provide any further assistance 
as appropriate. 
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Mr. Rush. Mr. Zaneis, you are recognized for 5 minutes. 

Mr. Zaneis. I am happy 

Mr. Rush. I am sorry 

Mr. Zaneis. That is all right, we don’t want to skip over Jason. 

Mr. Rush. Mr. Goldman, I am sorry. Mr. Goldman 

Mr. Goldman. Thank you very much. 

Mr. Rush. You are recognized for 5 minutes. 

STATEMENT OF JASON GOLDMAN 

Mr. Goldman. Good afternoon. Chairman Rush, Ranking Mem- 
ber Whitfield, and members of the Subcommittee. I am Jason Gold- 
man, Telecommunications, and E-commerce Counsel at the U.S. 
Chamber of Commerce. The U.S. Chamber of Commerce is the 
world’s largest business federation representing the interest of 
more than three million businesses and organizations of every size, 
sector, and region. On behalf of the Chamber and its members, I 
thank the Subcommittee for its work on consumer protection and 
for the opportunity to testify here today. 

Privacy is a key issue for the Chamber. The Chamber supports 
policies that foster business opportunities while respecting con- 
sumer’s privacy. The collection of personal information is necessary 
to provide consumer, social, and business benefits. Given the diver- 
sity of private sector businesses should have latitude within accept- 
able guidelines in defining what they need — what kind of informa- 
tion they need to collect and use. 

Recently the debate over privacy has been brought to the fore- 
front by the growth of the Internet. The Internet has revolutionized 
the way business is conducted in all sectors of the global economy 
including financial services, retail, wholesale distribution, and 
manufacturing. Today the vast majority of companies, small and 
large, are online and use the Internet to communicate with con- 
sumers and with the vendors, and all the different other entities. 
In particular, ad-supported content has been key to the success of 
broadband. Frequently online content is provided free of charge to 
consumers and revenues are instead generated through adver- 
tising. This ad-supported business model has been a key to the suc- 
cess of many Internet adventures and has helped to make the 
Internet an engine of growth in the U.S. economy. 

I will now turn to the bills that are the topic of this hearing. The 
Chamber received the text of the Best Practices Act just a few days 
ago, so my comments today are based on our initial read of the bill 
and may change as we further analyze the bill and vet the bill 
through our membership. The Chamber’s analysis of Boucher/ 
Stearns discussion draft was submitted to their Subcommittee in 
June and is attached to our testimony. 

The Chamber very much appreciates the work that went into 
drafting the Best Practices Act. Despite the inclusion of some of the 
provisions that we support, we still have strong concerns the bill 
as currently drafted. The Chamber — I will go through some of the 
provisions that we support and also some of the ones that we have 
modifications to. The Chamber is pleased that the bill directs the 
FTC to promulgate rules under this act in a technology-neutral 
manner. Government should not pick winners and losers. The 
Chamber applauds the inclusion of language that preempts State 
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laws governing the collection and use of data. However, the Cham- 
her believes the language could have been even stronger to help 
businesses avoid having to comply with 50 different State laws. 
The Chamber agrees with the intent of Section 502 which states 
that the bill should have no effect on activities covered by other 
federal privacy laws. However, the opening clause of this section 
states “except as provided expressly in the Act.” This could be in- 
terpreted by the FTC or by the courts as permitting the creation 
of multiple layers of regulation. 

The Chamber appreciates the bill attempts to maximize regu- 
latory flexibility. However, at the same time the Chamber is con- 
cerned that the sheer number of rulemakings will create needless 
regulatory uncertainty. The Chamber also believes that the safe 
harbor provision as drafted is a good start but improvements could 
be made. We are gratified by the recognition that industry self-reg- 
ulation in this area has and will continue to protect consumers, 
however the safe harbor in our opinion is too narrow and should 
follow FTC and industry principles. And also the Chamber has se- 
rious concerns about private right of action as well as an explicit 
grant of authority to State Attorneys General to enforce the legisla- 
tion. 

When combined with the FTC’s own enforcement authority we 
are concerned that these official mechanisms will serve to impose 
duplicative and potentially inconsistent findings of liability as well 
as excessive damage awards. In addition the explicit grant of au- 
thority for the award of punitive damages and attorney’s fees will 
serve to increase the likelihood that elements of the plaintiffs class 
action trial bar will use this legislation as a way to increase class 
action litigation with little benefit being given to the general pub- 
lic. 

The Chamber also has some concerns covered in more detail in 
our testimony with the opt-in requirements of third party sharing 
and opt-out requirements for information collection, as these provi- 
sions could upset established business practices for many of our 
members. 

Finally the Chamber has concerns with access and dispute reso- 
lution and the definition of covered information which I will be 
happy to discuss further during our Q and A. Thank you again, 
and I am happy to answer your questions following Mr. Zaneis. 

[The prepared statement of Mr. Goldman follows:] 
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The U.S. Chamber of Commerce is the world’s largest business federation, representing 
the interests of more than 3 million businesses of all sizes, sectors, and regions, as well as state 
and local chambers and industry associations. 

More than 96 percent of the Chamber’s members are small businesses with 
100 or fewer employees, 70 percent of which have 10 or fewer employees. Yet, virtually all of 
the nation's largest companies are also active members. We are particularly cognizant of the 
problems of smaller businesses, as well as issues facing the business community at large. 

Besides representing a cross-section of the American business community in terms of 
number of employees, the Chamber represents a wide management spectrum by type of business 
and location. Each major classification of American business - manufacturing, retailing, 
services, constraction, wholesaling, and finance - is represented. Also, the Chamber has 
substantial membership in all 50 states. 

The Chamber's international reach is substantial as well. It believes that global 
interdependence provides an opportunity, not a threat. In addition to the 
U.S. Chamber of Commerce’s 113 American Chambers of Commerce abroad, an increasing 
number of members are engaged in the export and import of both goods and services and have 
ongoing investment activities. The Chamber favors strengthened international competitiveness 
and opposes artificial U.S. and foreign barriers to international business. 

Positions on national issues are developed by a cross-section of Chamber members 
serving on committees, subcommittees, and task forces. More than 1,000 business people 
participate in this process. 
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Hearing on H.K. 5777, the “BEST PRACTICES Act” and H.R. , A Discussion Draft to 

Require Notice to and Consent of an Individual Prior to the Collection and Disclosure of 
Certain Personal Information Relating to that Individual 

Testimony of Jason D. Goldman 
Counsel, Telecommunications & E-Commerce 
U.S. Chamber of Commerce 

July 22, 2010 


Good afternoon, Chairman Rush, Ranking Member Whitfield, and other Members of the 
Subcommittee on Commerce, Trade, and Consumer Protection. I am Jason D. Goldman, 
Telecommunications & E-Commerce Counsel at the U.S. Chamber of Commerce, the world’s 
largest business federation, representing the interests of more than three million businesses and 
organizations of every size, sector, and region. On behalf of the Chamber and its members, I 
thank you for the opportunity to testify here today on the “BEST PRACTICES Act” and on a 
discussion draft to require notice to and consent of an individual prior to the collection and 
disclosure of certain personal information relating to that individual. 

Chamber’s Position on Privacy 


The Chamber supports policies that foster business opportunities while respecting 
consumers’ privacy. The collection of personal information is necessary to provide consumer, 
social, and business benefits. Given the diversity of the private sector, business decision makers 
should have latitude, within acceptable guidelines, in defining their needs for personal 
information. Cost control and competitive pressure in the private sector provide a strong natural 
deterrent to the collection of unnecessary, erroneous, or irrelevant information. 

Public policymakers and business leaders should weigh protection of privacy rights 
against a variety of factors, such as consumer convenience, the needs of management and the 
ultimate cost to the individual and public at large as well as to business and governmental 
entities. Before proposing governmental actions, policymakers should have a thorough 
understanding of the possible tradeoffs of these factors. 

The Importance of the Internet to the U.S. Economy 

The Internet has revolutionized the way business is conducted in all sectors of the global 
economy — including financial services, retail, wholesale-distribution, manufacturing, and many 
more. Today, the vast majority of companies of all shapes and sizes are online in some capacity 
and use the Internet to communicate with consumers, employees, existing customers, potential 
customers, and business partners around the world. 


In particular, ad-supported content has been key to the success of broadband. With 
broadband accessible to the vast majority of Americans, the amazing array of content (including 
applications and services) available on the Internet has convinced more and more Americans to 
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go online using a broadband connection every year. Frequently, online content is provided free 
of charge to consumers, and revenues are instead generated through advertising. U.S. Internet 
advertising revenues totaled $5.9 billion for the first quarter of 2010, representing a 7.5 percent 
increase over the same period in 2009, according to the Interactive Advertising Bureau and 
PricewaterhouseCoopers. Some of the products that consumers receive for free are: Web mail, 
maps, news sites, blogs, social networks, video, job boards, and product rating and pricing 
services. Consumers recognize and appear willing, in many situations but not all, to permit 
information to be collected about them in exchange for goods and services that are of value to 
them. This ad-supported business model has been a key to the success of many Internet ventures 
and has helped to make the Internet an engine of growth in the U.S. economy. 

Analysis 

The Chamber received the text of the BEST PRACTICES Act earlier this week, so the 
comments below are based on our initial read of the bill and may change as we further analyze 
the language and vet the bill through oiu membership. The Chamber’s analysis of the 
Boucher/Stearns discussion draft was submitted on June 2, 2010, to the House Subcommittee on 
Communications, Technology and the Internet, and is attached to this testimony (Appendix A). 

BEST PRACTICES Act 


The Chamber appreciates the work that went into drafting the BEST PRACTICES Act. 
Despite the inclusion of some provisions that we support, we have strong concerns with H.R. 
5777 as currently written. 

I. Definition of Covered Information 

The definition of “covered information” in H.R. 5777 should be narrowed. Only data 
elements that could be used to commit identity theft or other direct consumer harm should be 
included in the definition. If the "unique identifier” is publicly available and does not contain 
any personal information then it should be excluded from the definition. For example, as 
drafted, the bill would impose the same protections on user IDs as it would for name and email 
addresses. 

Therefore, “unique identifier,” “persistent identifier,” “Internet Protocol address,” 
“telephone number,” “fax number,” and other such data elements should be removed from the 
definition except where such data has already been merged with other personal information 
elements. 

The Chamber supports standardized definitions. Therefore, rather than creating a new 
category of “covered information,” it would be better to model this definition after the “personal 
information” definitions found in many recent state data security and breach notification bills. 
Instead of including general categories of data elements which camiot identify a person, these 
definitions tend to tie a person’s first and last name or first initial and last name with an address 
to a data element such as a social security number, drivers’ license number, or financial account 
number. 
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The Chamber supports the exemption from the “covered information” definition for 
information collected about an employee, by an employer, prospective employer, or former 
employer tliat directly relates to that relationship. 

//. Definition of Operational Purpose 

Generally, the “operational purpose” exemption is too limited because it does not apply if 
the data is also used for marketing, advertising, or sales; dual-use of such data is a common 
industry practice. Under the bill, if a user chooses to opt-out, then the collection of non- 
identifying information (e.g., cookies or the user’s IP address) is prohibited. 

III. Definition of Sensitive Information 

Instead of codifying precise geographical information as sensitive persona! information, 
the Chamber recommends that the collection and use of this data be governed by self-regulatory 
regimes. 

IV. First-Party Opt-Out Requirement 

Consumer privacy expectations are different when dealing directly with a first-party then 
when there is a third-party relationship between the consumer and the business. For this reason, 
the U.S. regulatory framework has long recognized a broad first-party exemption to consumer 
consent requirements which has been supported by the Federal Trade Commission (FTC) as 
recently as in its staff report on online behavioral (OBA) advertising principles. The Chamber 
believes this legislation should maintain this first-party exemption. 

U.S. businesses would be adversely impacted by a first-party opt-out mandate. It would 
require all media, retailers, service-oriented businesses, marketing companies, advertisers and 
others — in both online and offline environments — to offer an opt-out option to all consumers for 
any data that may be collected or used under any circumstances. Furthermore, H.R. 5777 should 
allow for flexibility to account for the inherent differences between operating in the offline and 
online worlds. 

Also, opting out of the collection of certain information couJd impact Web site operation 
and optimization. For example, when a consumer voluntarily visits a Web site, certain 
information must be collected by that company, including their IP address or referrer URL, in 
order to deliver the content on the site. 

An opt-out consent standard would create a perverse incentive of requiring all media, 
retailers, service-oriented businesses, advertisers and others — in both online and offline 
environments — that do not already collect detailed consumer information to begin doing so in 
order to allow them to exercise opt-out choices over time. Such a requirement, for instance, 
could require retailers to offer all credit-card-using consumers opt-outs for the use of bar code 
scanners at checkout counters. In turn, these businesses would begin to develop and maintain 
detailed dossiers of persona! transactions, in order to render all data from past transactions 
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unusable if at any point in the future the consumer wishes to exercise an opt-out with respect to 
the prior collection of data. 

The Chamber does not believe that such a statute would further consumer trust; rather it 
may create greater privacy concerns while costing businesses millions of dollars to implement. 

V. Express Affirmative Consent 

Requiring opt-in “express affirmative consent” for the disclosure of “covered 
information” to unaffiliated third parties profoundly alters commonly accepted business 
practices. The definition of covered information is extremely broad as stated previously and 
includes several largely anonymous types of data, including cookies, IP addresses, and unique 
identifiers for computers or devices. These types of data points are inherently neither personal 
nor sensitive in nature and, thus, should not be subject to the strictest consumer consent 
requirements. Current regulatory requirements subject only the most sensitive data categories to 
an opt-in requirement, and many of those provisions recognize a lower standard when that data is 
used for marketing or advertising purposes. 

VI. Access and Dispute Resolution 

To avoid redundancy and confusion, there should be an exemption from the access and 
dispute resolution requirements when an entity or information (e.g., databases containing public 
record data) is already regulated by other laws (mainly consumer reporting agencies under Fair 
Credit Reporting Act and financial institutions under Gramm-Leach-Bliley). Additionally, 
databases that are used for fraud, authentication, and contract enforcement should be exempted, 
to the extent necessary, to prevent fraudsters from accessing and/or modifying these databases. 
Once all of these exemptions are included, however, mainly just advertising databases would be 
subject to this new access and correction regime. Therefore, we would encourage policymakers 
to carefully study this issue before proceeding because the cost of providing access and 
correction for those databases is very steep, while the benefit for consumers is minimal. 

VIl Safe Harbor 

The Chamber believes that the safe harbor provision, as drafted, is a good start but 
improvements could be made. We are gratified by the recognition that industry self regulation in 
this area has and can continue to protect consumers. However, the safe harbor is too narrow and 
should follow FTC and industry principles, including the exemption of first party data practices, 
greater flexibility in how consumer notice is delivered, and exemption from data accuracy and 
correction provisions (it appears to only exempt companies from the data access requirements). 
Moreover, the recognition that an opt-out standard for third-party data usage sufficiently protects 
consumers’ privacy calls into question whether the opt-in standard for third-parties in Section 
104 is proper. The FTC and industry agree that opt-out is the appropriate standard, so we would 
urge the Chairman to seek to codify that standard as the baseline in H.R. 5777. 
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VIIL Activities Covered by Other Federal Privacy Laws 

The Chamber agrees with the intent of Section 502, which states that H,R. 5777 should 
have no effect on activities covered by other enumerated federal privacy laws, such as the 
Gramm-Leach-BIiley Act, the Fair Credit Reporting Act, and HIPAA. However, the opening 
clause of this section, which states “except as provided expressly in this Act,” could be 
interpreted by the FTC or by courts to permit the creation of another layer of regulation in 
addition to provisions in each of the enumerated acts. Given the potential conflicts with having 
the same type of data collection and use covered by more than one federal privacy regime, a 
covered entity could very well find itself unable to comply with two separate federal privacy 
laws for the same covered information, thereby involuntarily subjecting itself to fines and other 
enforcement actions for non-compliance with one or both of the acts. To avoid this potential 
conflict with existing federal privacy regimes, the Chamber strongly recommends that this 
section be clarified to provide an explicit carve-out from the definition of covered entity for 
entities already covered by the enumerated acts. 

IX. Private Right of Action 

The Chamber also has serious concerns about the various liability-related provisions in 
H.R. 5777. For example, in addition to the robust enforcement mechanisms provided to the 
FTC, the legislation also contains a private right of action as well as an explicit grant of authority 
to state attorneys general to enforce the legislation. We are concerned that all of these 
mechanisms will serve to impose duplicative and potentially inconsistent findings of liability as 
well as excessive damage awards. In addition, the explicit grant of authority for the award of 
punitive damages and attorney’s fees will serve to increase the likelihood that elements of the 
plaintiffs’ class action trial bar will use this legislation as a way to increase class action litigation 
with little benefit being given to the general public. 

X. FTC Rulemaking Authority 

The Chamber is pleased that H.R. 5777 directs the FTC to promulgate rules under this 
Act in a technology-neutral manner. Specifically, the bill prohibits the FTC from requiring the 
deployment or use of any specific products or technologies, including any specific computer 
software or hardware. 

The Chamber appreciates that the bill attempts to maximize regulatory flexibility by 
granting the FTC authority to engage in rulemakings on a variety of matters. Given that business 
must respond rapidly to market developments and technological advancements, innovation 
should be encouraged, not hindered. However, at the same time, the Chamber is concerned that 
the sheer number of rulemakings will create needless regulatory uncertainty. In addition to 
rulemakings to create exemptions and exceptions, there are rulemaking requirements in many 
other areas of the bill including definitions (e.g., sensitive information and third parties), on 
notice, on accuracy, and on the process for granting safe harbor for self-self-regulatory 
initiatives. 
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XI. Effect on Other Laws 

The Chamber applauds the inclusion of language that would preempt state laws 
governing the collection and use of data. However, the Chamber believes this language could be 
even stronger to help businesses avoid the complexity of having to comply with 50 different 
laws. 

Conclusion 

Once again, the Chamber greatly appreciates the opportunity to testify today. The 
Chamber stands ready to work with you on these and other issues. Thank you very much. 
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The Honorable Rick Boucher 
Chairman 

Subcommittee on Communications, 
Technology and the Internet 
Committee on Energy and Commerce 
U.S. House of Representatives 
Washington, DC 20515 


The Honorable Clift' Stearns 
Ranking Member 

Subcommittee on Communications, 
Technology and the Internet 
Committee on Energy and Commerce 
U.S. House of Representatives 
Washington, DC 20515 


Dear Chairman Boucher and Ranking Member Steams: 


The U.S. Chamber of Commerce, the world’s largest business federation representing the 
interests of more than three million businesses and organizations of every size, sector, and 
region, thanks you for the opportimity to offer thoughts and recommendations on your draft 
privacy legislation. ' The draft legislation would fundamentally change how online and offline 
information collection and sharing is conducted, and has the potential to harm a vibrant and 
legitimate part of the U.S. economy. In addition, close scrutiny is needed to determine the bill’s 
impact on existing laws. While the Chamber is pleased that the draft bill contains appropriate 
provisions to ensure predictable and consistent enforcement, the Chamber has some strong 
concerns with the draft bill that are highlighted below. 

Definition of Covered Information 

The Chamber believes that, as currently drafted, the definition of “covered information” 
is far too broad. It is important that such a definition encompass only data elements that could be 
used to commit identity theft or other direct consumer harm. Furthermore, the draft bill includes 
the term “unique identifier” within the definition of covered information. Such a term is overly 
broad as many social media websites assign each user a unique identifier that is publicly 
available and absent of any personal information. The bill would impose the same protections on 
user IDs as it would for name and email addresses. 

Therefore, the Chamber strongly urges that data elements such as “unique identifier,” 
“persistent identifier,” “Internet Protocol address,” “telephone number,” and “fax number” be 


* The Chamber represents many different types of companies and economic sectors with 
different concerns in tlie telecommunications and Internet areas and while the position stated in 
these comments is the official position for the U.S. Chamber of Commerce, our comments do not 
reflect the views of all company members. 
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removed from the definition except where such data has already been merged with other personal 
information elements. As an example, a persistent identifier on a device owned by an individual 
could literally cover a product code. Additionally, “covered information” appears to be a new 
definition that is not used by any other relevant privacy law. The Chamber is concerned about 
the conflicts and confusion that could arise from the use of this broad, new definition covering 
nearly all data. 

A more appropriate way to approach the scope of covered information would be to craft a 
definition similar to “personal infonnation” definitions found in many recent state data security 
and breach notification bills. These definitions tend to tie a person’s first and last name or initial 
and last name with an address to a data element such as a social security number, drivers’ license 
number, or financial account number. Within this type of definition there are data elements that 
can actually identify a specific person, as opposed to general categories of data elements which 
cannot identify a person. 

Additionally, the definition of “personally identifiable information” should specifically 
exclude any personal information that has been rendered anonymous or “de-identified” prior to 
its use. This type of infonnation is excluded from other federal privacy laws, such as the Health 
Information Portability and Accoimtability Act (HIPAA). Under HIPAA’s de-identification 
standard, personal health information that has been de-identified in compliance with the law’s 
prescribed standards is not subject to the HIPAA privacy rules. The Chamber recommends a 
similar de-identification standard be used in this legislation and believes this is the correct 
standard for public policy reasons, as well as to avoid direct conflicts on this issue in federal law, 
as discussed further below. 

First Party Opt-Out Requirement 

The Chamber is concerned that the proposal requires a “covered entity” — defined to 
include nearly every commercial business of even moderate size (i.e., those with more than 5,000 
customers annually) — to obtain consumer consent prior to the collection and use of any customer 
information. The federal government has long recognized that consumers have a direct 
relationship with first parties that they chose to do business with and that their privacy 
expectations are different than when third parties are involved. For example, when a consumer 
voluntarily visits a Web site, certain infonnation must be collected by that company, including 
their IP address or referrer URL, in order to deliver the content on the site. This information will 
be used by the first party Web site for non-transactional purposes, including Web site 
optimization and internal marketing practices. For this reason, the U.S. regulatory framework has 
long recognized a broad first-party exemption to consumer consent requirements which has been 
supported by the Federal Trade Commission (FTC) as recently as in its staff report on online 
behavioral (OBA) advertising principles. The Chamber believes this first-party exemption 
should be maintained in the current legislative proposal. 

The impact to U.S. businesses from a new, statutorily-mandated consent standard for first 
parties would be vast. It would require all media, retailers, service-oriented businesses, 
marketing companies, advertisers and others — in both online and offline environments — to offer 
a detailed menu of opt-out options to all consumers for any data that may be collected or used 
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under any circumstances. Opting out of these uses of covered information would have several 
unintended consequences, including hindering fraud prevention, disabling basic Web site 
monitoring and advertising metrics, and hampering content customization and retail product 
recommendations online. 

For example, such a requirement could require retailers to offer all credit-card-using 
consumers opt-outs for the use of bar code scanners at checkout counters. A bottom-line concern 
is that it is unclear which activities trigger a choice requirement. Many direct marketing 
activities already require choice under various federal laws or industry practices. In the draft 
bill, choice is required for marketing, advertising, and sales purposes. However, choice is not 
required for data analytics for product improvement — which is typically performed to improve 
sales. 


Lastly, an opt-out consent standard would create a perverse incentive of requiring all 
media, retailers, service-oriented businesses, advertisers and others — in both online and offline 
environments — that do not already collect detailed consumer information to begin doing so in 
order to allow them to exercise opt-out choices over time. This, in turn, would require these 
businesses to develop and maintain detailed dossiers of personal transactions, in order to render 
all data from past transactions unusable if at any point in the future the consumer wishes to 
exercise an opt-out with respect to the prior collection of data. The Chamber does not believe 
that such a statute would further consumer trust; rather it may create greater privacy concerns 
while costing businesses millions of dollars to implement. 

Notice and Consent for Offline Information 


The Chamber strongly agrees that privacy principles should be applied to the collection 
and use of information in both the online and offline environments. However, any such 
legislati ve or self-regulatory regimes must be flexible enough to recognize the inherent 
differences that technology plays in each environment. Whereas the online environment is 
interactive and allows a link to a Web page that can deliver a privacy policy and offer choices for 
information use, the offline environment is much different, particularly when businesses employ 
manual or small-scale data collection devices, such as “3x5” survey or warranty cards inserted 
into magazines and publications. A privacy policy or notice in the form proposed by the 
legislation cannot reasonably be delivered on such collection devices, and choice cannot be 
obtained unless the consumer has access to the terms and conditions of the privacy notice. 
Another example involves the use of security cameras in stores that also monitor wait-time-in 
line at checkout to speed sales transactions for customers. It would not be feasible to provide a 
lengthy notice of privacy practices or choice prior to data collection. Simply put, in the offline 
arena, covered information may be collected in different formats and technologies, so more 
flexibility is needed for the timing and content of notice and how and where to offer choice. 

In addition to the type of notice and consent to be provided in the online and offline 
settings, the proposed legislation must also consider the ability for businesses to comply with a 
notice prior to collection of covered data. For example, in both the online and offline 
environments, it is often impossible to deliver a notice before infonnation collection begins. The 
above examples demonstrate this impracticality for the offline world but, importantly, this 
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impracticability is true in the online environment, too. Data collection begins immediately when 
a consumer enters a Web site address in a browser and clicks the go or return function, as an IP 
address must be collected before a Web site can be delivered to the browser for display. Also, 
each third party conducting business on the Web site, whether for marketing, fraud detection, or 
setting a time and data stamp, begins collecting information before the Web site actually loads. 
Therefore, significant amounts of covered information, as defined in the proposed bill, could be 
collected before a consumer would actually read a privacy policy and be able to make a choice. 
In many cases, consumers rarely if ever choose to read a privacy policy, so presumably all data 
collected to display the Web site would be in violation of the proposed law. 

These practical problems need to be addressed before legislation is introduced, and the 
Chamber recommends eliminating any requirement that notice be provided prior to the 
“collection” of data. Many federal privacy laws, for example, set forth notice requirements in 
connection with businesses’ uses of information for particular pmposes in order to avoid such 
impracticalities of placing notice and consent regimes on the broad collection of data prior to its 
use. The Chamber recommends a similar focus on the use of data as further discussed below. 

Concerns with Collection Restrictions 


The language in Section 3 is focused on both the collection and use of covered 
information. There are major technological hurdles that companies in the online space would 
face to comply with the limitations on collection of covered information. 

When a user decides to go to a Web page from a Web site, routine information is usually 
collected to help deliver and display that Web page. The collection of this data is integral to the 
proper and efficient delivery of Web pages; therefore, there could be tremendous technical 
ramifications if a consumer blocks the transmission of this data when selecting an opt-out option. 

Advertising revenue frequently allows Web sites to offer consumers content for free. 

This ad-supported business model has been a key to the success of many Internet ventures and 
has helped to make the Internet an engine of growth in the U.S. economy. Unfortunately, the 
draft bill would disrupt this pro-consumer business. 

Generally, the “operational purpose” exemption in the draft is too limited because it does 
not apply if the data is also used for marketing, advertising, or sales; dual-use of such data is a 
common industry practice. Under the draft, if a user chooses to opt-out, then the collection of 
non-identifying information (e.g., cookies or the user’s IP address) is prohibited. However, in 
the offline world, non-identifiable user information is not subject to notice and choice used to 
target advertising displayed in magazines, newspapers, and billboards. The draft bill should be 
technology-neutral and should not favor one type of advertising over another. 

Express Affirmative Consent for Disclosure of Covered Information 

Numerous laws, including the Cable Communications Policy Act, Telecommunications 
Act, Gramm-Leach-Bliley Act, and Fair Credit Reporting Act allow business to share customer 
or other information with unaffiliated biisines.ses whether tor a “pennissible purpose” or 
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otherwise. This draft would cover broadly all disclosures of customer or otlier covered 
information without regard for any intended purpose or to protect any perceived harm. It is 
unclear how the preemption language in this law could be followed with respect to these other 
legal information sharing allowances. By restricting this existing infomiation flow, numerous 
businesses would be affected, especially small and local businesses that regularly use marketing 
lists for market research or direct mail prospecting. 

No Oot-ln for Sharing with Unaffiliated Third Parties 

As currently drafted, the proposal requires opt-in “express affinnative consent” for the 
disclosure of “covered information” to unaffiliated third parties. The Chamber believes that this 
approach is wrong, as it profoimdly alters commonly accepted business practices. The definition 
of covered information is extremely broad as stated previously and includes several largely 
anonymous types of data, including cookies, IP addresses, and unique identifiers for computers 
or devices. These types of data points are inherently neither personal nor sensitive in nature and, 
thus, should not be subject to the strictest consumer consent requirements. Cuncnt regulatory 
requirements subject only the most sensitive data categories to an opt-in requirement, and many 
of those provisions recognize a lower standard when that data is used for marketing or 
advertising purposes. Furthermore, the exceptions for disclosure seem too narrow. It appears 
that the only allowed disclosures of non-employee information are those that are legally required. 
However, many companies with strong disclosure protections also allow limited disclosures for 
safety or health reasons, like product recalls, or when the company is a victim of a crime. 

It should also be noted that the definition of sensitive information is overly broad and 
could, for example, be interpreted to expand the definition to include self-reported financial and 
health information in survey data. Additionally, as noted below, if this draft legislation would 
create a second layer of data regulation, then there could be significant conflicts in statutory 
regimes between this bill’s provisions and those of existing federal laws such as HIPAA or 
Gramm-Leach-Bliley. Such a result may leave many businesses in the untenable situation of 
being unable to comply with two separate federal data privacy laws for the same covered 
information. 

Greater Latitude Should Be Granted for Self-Regulation 

Numerous industry self-regulatory programs exist today requiring that information used 
for marketing or advertising purposes be subjected to robust consumer notice and choice 
requirements. The following have provided such guidance; 1) the Direct Marketing 
Association; 2) the Network Advertising Initiative; 3) the FTC, which published self-regulatory 
principles; and 4) a joint effort led by five marketing industry associations — the American 
Association of Advertising Agencies, the Association of National Advertisers, the Direct 
Marketing Association, the Interactive Advertising Bureau, and the Better Business Bureau — 
that published “Self-Regulatory Principles for Online Behavioral Advertising.” These industry 
groups condition membership on compliance with their self-regulatory practices and sanction 
members who fail to comply. Self-regulatory practices promulgated by these industry groups or 
the FTC should be granted "safe harbor” status along with the concepts outlined in the law 
specifically for “network advertisers.” 
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In addition, the draft does not address Web site browser controls, which are the 
paramount forms of online activity self-regulation today. Browser companies have increasingly 
developed their privacy-protecting user toolsets, and in recent years have begun to market these 
privacy differentiations to increase consumer use of their software. There is also a burgeoning 
privacy-by-design business model being developed using “plug-ins” and other tools to give 
browsers more privacy features and user controls. Increasing emphasis should be given to this 
self-regulatory vehicle. However, this draft would curtail the incentive for innovation regarding 
these browser controls. 

Definitional Inconsistencies and Suggested Clarifications 

Several definitions as currently drafted are either too narrow or too broad, and as 
constructed might unintentionally include many legitimate business practices that should not be 
covered by this draft legislation. The Chamber recommends revising the definitions of the 
following terms to ensure that the legislation sufficiently covers present day business practices: 

® The definition of “render anonymous” exceeds practical use since it would apply 
to any “computer or device,” which would restrict all forms of Web site analytics, 
market research, or other commonly anonymous uses of information. In addition, 
it would exceed the anonymization efforts governing “protected health 
information” under HIPAA which seems to be a contradiction in scope when 
comparing website use of personalized and protected health information. The 
Chamber recommends harmonizing the “render anonymous” definition with 
HIPAA’s existing de-identification standard such that compliance with a similar 
de-identification process would provide a similar exclusion from this legislation. 

® “Covered entity,” “service provider,” and “unaffiliated party”: As drafted, it is 
possible for one entity to meet the requirements of all three definitions, thereby 
subjecting it to a number of different compliance obligations. The Chamber 
recommends carefully re-working these definitions such that there is no overlap 
or conflicting requirements for the same collection and use of covered 
information. 

» The “advertising network” definition refers to “individuals,” yet there is no 
definition of “individual” that would include a “imique identifier.” As a result, 
few if any ad networks actually have “individual” information but rather cookies 
that are associated with a browser, which could be shared with a household or 
public network like a library or cybercafe. 

B The definition of “operational purpose” should be expanded to include “detecting, 
preventing, or acting against actual or suspected fraud targeting the individual.” 
Fraud detection products and services should not be restricted in this bill. This 
definition should also include market research. 

• The definition of “transactional purpose,” by specifically excluding marketing, 
advertising, and sales, prevents practices such as a customer being recommended 
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a certain book or album based on previous purchases, without a notice and opt- 
out. Marketing efforts designed to encourage transactions or sales should be 
considered as part of a transactional purpose and the definition should be 
expanded to include such purposes. 

® The definition of “unaffdiated party” allows for sharing of information without 
opt-in consent as long as there is corporate ownerehip or control. The definition 
should also include entities that operate websites as joint ventures. 

® The definition of Sensitive Information should be changed: 

o “Race or ethnicity” could cover ads delivered in different languages 
o “Mental or physical condition” is overly broad and could encompass 
common ailments, such as a stomach ache. The definition should relate a 
specific diagnosis. 

Undefined Terms 


The Chamber suggests that additional terms be defined to provide greater clarity and to 
ensure against inconsistent interpretations of their meanings, as follows: 

® “Affiliates,” “first party,” and “third party”: Further clarification on what is 
meant by first- and third-party entities will help industry better comprehend who 
is meant to have the various notice and choice obligations found in the bill. 

® The terms for “consent,” “opt-out consent,” “express consent,” “affirmative 
consent,” and “express affirmative consent” are not defined. It is unclear how a 
compliant business would be able to understand and differentiate these terms 
when applied to data collection and use. 

® The term “individual” should be defined to cover natural persons in the United 
States who are customers or visitors to online or offline channels where covered 
infonuation is collected, and exclude employees, companies, and other persons or 
entities not intended to be covered. 

« “Material change” in privacy practices is not defined, and it is unclear how it 
could be applied in cases where traditionally non-personal information uses as 
defined under “covered information” could be applied, such as with IP addresses 
or cookies where notice to these users is typically vmavailable. It is unclear when 
or how an opt-in would be required and delivered, particularly for aspects of a 
policy where choice is not offered to begin with. 

® There is no definition of “all or substantially all of an individuals’ online 
activity.” It is unclear whether this section is directed to Internet service 
providers, advertising networks, Web analytics providers or other entities. The 
legislation should clarify what is the perceived threshold for “substantially all.” 
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The Chamber also recommends such a definition exclude fraud prevention and 
market research services. 

Data Retention Language 

The Chamber has concerns with the data retention provisions in Section 3(e)(2). If 
covered information is collected and/or used for multiple purposes, including transactional or 
operational purposes, it is important to know whether this section applies. Also, there seems to 
be a conflict between the deletion/anonymization requirement of this section and Section 
4(b)(C), which protects against the alteration or destruction of covered information. In addition, 
where the user is in control over his or her own information (such as account data or transaction 
history) through a direct relationship with a provider, retention limits appear unnecessary and 
counterproductive. 

Location Information 


Precise geographical information should not be codified into law at this time as sensitive 
personal information. Instead, the Chamber recommends that the collection and use of this data 
be governed by self-regulatory models at this time. This is a rapidly evolving technological 
field, which could ultimately be helpful in such areas as fraud detection. Therefore, the 
Chamber believes that this type of information would best be left to a more flexible framework 
with guidance from the FTC. 

Aggregate or Anonymous Information 

The Chamber agrees with what appears to be the general intent of Section 5 of the 
proposed draft to exclude from the draft bill’s notice and choice provisions the collection, use 
and disclosure of aggregate information or information that has been rendered anonymous. 
However, it is unclear how Section 5, as currently drafted, would function, and therefore requires 
further clarification. Additionally, it appears that the definition of “render anonymous” may be 
constructed too narrowly to cover the various methods by which personal information may be 
de-identified prior to use so that it is subject to this exclusion. As noted above, the Chamber 
believes it would be important to harmonize this provision and applicable definitions with 
similar safe harbors in other federal privacy laws, such as HIPAA’s de-identification standard. 

Modification to Section 7 Report 

The Chamber recommends that the report in Section 7 not be limited to the Federal 
Communications Commission (FCC) alone, but instead should include the FTC as well. There 
are myriad privacy-related laws that exist today that should be more closely studied to better 
assess the impact that this legislation would ultimately have. It would be prudent for the 
implementation of the proposed regulations in this draft to only take place after these reports are 
received and reviewed effectively. 
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Competitive Neutrality 

The draft potentially subjects different entities involved in online behavioral advertising 
to different types of notice and consent obligations, depending upon the type of business mode! 
they employ. For example, if a covered entity collecting information via the Internet posts its 
privacy notice “on the website” through which it collects information, it can avail itself of opt- 
out notice for the collection and use of covered information. While this approach may be 
workable for companies engaged in the “cookie-based” online behavioral advertising business 
models, it is unclear how it would apply to entities that may not (presently or in the future) rely 
upon visits to websites to collect data. Likewise, the draft allows entities that construct and 
maintain user preference profiles to utilize opt-out consent for the collection and use of covered 
information, but appears to preclude any new or different business models from doing so. 

The draft should provide all entities involved in OBA with equal opportunities to utilize 
opt-out consent for the collection and use of covered information. It should not disfavor 
particular business models with more burdensome regulatory obligations, since doing so would 
deter entry, harm innovation, and undermine competition and choice in the OBA marketplace. 

Conflicts with Other Federal Privacy Laws 

The Chamber agrees with what appears to be the intent of the provision in Section 1 1 
stating that this bill should have no effect on activities covered by other enumerated federal 
privacy laws, such as the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act and HIPAA. 
As currently drafted, however, the opening clause of the proposed legislation would create a 
significant exception to this general rule (i.e., by stating “except as provided in this Act”), which 
could be interpreted by the FTC or by courts to imply that this legislation would create another 
layer of regulation in addition to provisions in each of the enumerated acts. Given the potential 
conflicts with having the same type of data collection and use covered by more than one federal 
privacy regime, a covered entity could very well find itself unable to comply with two separate 
federal privacy laws for the same covered information, thereby involuntarily subjecting itself to 
fines and other enforcement actions for non-compliance with one or both of the acts. To avoid 
this potential conflict with existing federal privacy regimes, the Chamber strongly recommends 
that this section of the proposed bill be clarified to provide an explicit carve-out from the 
definition of covered entity for entities already covered by the enumerated acts. 

Exemption for Publicly Available Information 

The Chamber strongly believes that this bill should explicitly exempt publicly available 
information from the definition of “covered information.” By definition, publically available 
information is not private. Information that is already in the public domain should not be 
covered by the bill. Moreover, this type of information cannot be used for identity theft purposes 
or any other nefarious activity, so its inclusion in this bill is unnecessary and should be explicitly 
left out. 
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Exemption for Employee Information 

Similar to the previous comment, the Chamber strongly believes that employee 
information should be excluded from coverage by the proposed legislation as this information, 
while confidential to the employer and employee, must not be subject to an employee’s choice to 
prevent its collection by the employer. Not only are employers required under federal tax and 
other laws to collect much of the data that would meet the definition of “covered information” in 
this draft bill, there are numerous existing federal and state laws that already protect the privacy 
and security of such employee information, not to mention court decisions that have sought to 
strike the proper balance between employer and employee rights to the information. It would be 
well beyond the stated purpose of this bill to re-write the laws on employer/employee data 
collection and use. Moreover, if employee information were to be covered, the proposed 
legislation would arguably affect nearly every employer in the nation, including the smallest of 
commercial entities, forcing them to modify employee data management practices. Therefore, 
the Chamber strongly recommends that the definition of “covered information” include an 
exclusion for information collected from or about a former, existing or prospective employee by 
an employer. 

The Chamber thanks you for the opportunity to weigh on this draft bill and looks forward 
to working with you and your staff on this very important issue. 


Sincerely, 



R. Bruce Josten 


Cc: The Members of the Subcommittee on Communications, Technology and the Internet 
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Mr. Rush. Mr. Zaneis, please 5 minutes now. 

STATEMENT OF MIKE ZANEIS 

Mr. Zaneis. Thank you. I used to work for the U.S. Chamber of 
Commerce, but I don’t think they would appreciate me delivering 
their testimony here today. Thank you, Chairman Rush, Ranking 
Member Whitfield, members of the Subcommittee for holding this 
hearing for the opportunity to testify about these important legisla- 
tive proposals. My name is Mike Zaneis, and I do work for the 
Interactive Advertising Bureau as Vice President of Public Policy. 

The TAB represents some 460 companies involved in online ad- 
vertising. Our companies run the gamut from the largest portals 
and search engines to branded publishers. It includes ad networks 
all the way down to the smallest Mom and Pop shop publisher on- 
line. The common theme for all of these folks is that they depend 
upon online advertising. It is a good industry and we are — continue 
to grow even in these tough economic times. In the first quarter of 
this year online advertising revenue in the U.S. grew to $6 billion. 
And that represents a 7.5 percent increase over the first quarter 
of 2009. More importantly, our industry is a major component of 
the national economy. We add more than $300 billion to the U.S. 
economy and provide more than 3.1 million jobs total. 

But we know it is not all about economic numbers here today. 
We know in our industry that the number one asset that any com- 
pany has is the consumer relationship in building trust through 
protecting their privacy and meeting their privacy expectations. 
That is why our industry has a long successful history of strong 
self-regulation. It began over a decade ago with input from the Fed- 
eral Trade Commission when industries stood up to network adver- 
tising initiative. And this was a program to oversee third party ad 
networks and how they have collected and used data for consumers 
and provided choice. 

But we knew over time as our industry grew and innovated then 
so too did our self-regulatory programs. They needed to innovate, 
and grow, and expand. That is why over 2 years ago lAD joined 
with the Association of National Advertisers, the American Asso- 
ciation of Advertising Agencies, the Direct Marketing Association 
and in conjunction with the Council of Better Business Bureaus, 
one of the most respected, reputable self-regulatory monitoring and 
compliance programs in the world, to create for the first time a 
broad comprehensive set of online privacy practices for advertising 
purposes. 

Here, too, we took away lessons from the Federal Trade Commis- 
sion. They issued their staff report about online behavioral adver- 
tising privacy principles in February of ’09. We incorporated many 
of those principles in our draft — excuse me — in our final principles 
that were issued in July of last year, including transparency, con- 
sumer notice, and something that we haven’t talked about which 
is consumer education, which is really a key component here. 

All of this leads me to the bills and the legislative proposals that 
are on the table today. And Mr. Chairman, I want to thank you for 
your recognition in H.R. 5777 about the importance of industry 
self-regulation. We think that that is the right approach in that it 
has a long history of success, it can be more flexible and dynamic. 
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and there is a commitment by industry and government agencies 
to make sure that it works. And we stand ready to work with you 
to make sure that any legislation that moves forward reflects upon 
and bolsters the success that not only the FTC has pushed out 
there and achieved, but in industry and our cross-industry self-reg- 
ulatory group. We are beginning to see fundamental change online 
already in this marketplace about how consumers receive informa- 
tion about how data is collected and used, and pushing choice out 
ubiquitously. 

That leads me to my second point that we are very gratified to 
see your recognition in the bill that a one size fits all consumer no- 
ticed jammed down in a privacy policy often is written in legalese 
may not serve consumers all that well. In fact, in our industry we 
are seeing a tremendous amount of innovation in better ways to 
serve notice to consumers and we hope to preserve that type of 
flexibility with any legislation that moves. 

But — and there is always a but — we do have a number of res- 
ervations about H.R. 5777 and Congressman Boucher’s proposal. 
And they share a couple of components that I would like to just 
identify here. The first is the concept that first party data usage 
requires an opt-out. Here we simply have to agree with the Federal 
Trade Commission’s finding in their staff report. When consumers 
go to an online Web site they understand there is going to be a cer- 
tain amount of data exchanged by that first party site and to serve 
them content and services and yes, advertising. And so, we think 
that they should be first party — clearly first party usage should be 
exempted out of this choice mechanism. Not notice — we should al- 
ways do better around giving consumers notice about how the data 
is collected and used. 

The second issue I would like to raise with you is the third party 
data sharing provision. The Internet is nothing but a series of third 
party relationships. Virtually every Web site requires these third 
party data sharing whether it is to customize content, to run your 
analytics on the back side to make sure you know who is coming 
to your site and who — and getting paid, or whether it is for rel- 
evant advertising. And so here again we agree with the FTC’s prin- 
ciple in their staff report that you should have an opt-out require- 
ment empowering consumers to exercise their choice when they 
have ligament concerns around privacy. You need to give them 
good notice, you need to empower them, and you need to educate 
them which is something that the TAB is committed to. 

So I will just sort of leave you with this last thought and I look 
forward to your questions. I think it is impossible to take informa- 
tion out of the information age, because if you do that is what you 
are going to get is less relevant advertising, and less relevant ad- 
vertising by definition is spam. I don’t think anybody wants that. 
That is not good for consumers, and it is not good for business. 
Thank you. 

[The prepared statement of Mr. Zaneis follows:] 
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I. Introduction 

Thank you for the opportunity to testify at this hearing of the House Energy and 
Commerce Committee’s Subcommittee on Commerce, Trade, and Consumer Protection, 
I’d like to thank Chairman Rush and Ranking Member Whitfield for holding this 
important hearing. 

My name is Michael Zaneis and I am the Vice President of Public Policy for the 
Interactive Advertising Bureau (lAB). The lAB is the trade association for ad-supported 
interactive media in the United States. lAB’s 460 member companies account for 86 
percent of the interactive advertising sold in the United States. Our members include the 
great names of the online and offline media world - AOL, CBS, Google, MSN, The New 
York Times, Time Inc., Wait Disney, and Yahoo! among them - as well as scores of 
smaller publishers, advertising networks, and specialists in such areas as digital video 
advertising and mobile advertising. 

lAB and our member companies vigorously support strong protections for consumer 
privacy rights and expectations in all media, online and offline. Delivering advertising 
relevant to users’ interests and needs enhances their online media experiences and 
productivity, and helps businesses to grow. Those goals are not only complementary, but 
necessarily conjoined: Providing consumers with control over their online experiences 
has been a core principle of interactive media, commerce, and advertising from the birth 
of the medium. Moreover, reinforcing consumer trust in the medium is necessary for our 
continued viability. These principles - consumer control and trust - have fueled the 
Internet’s growth into the most popular entertainment and information medium in the 
United States, and our emergence as the fastest-growing advertising medium in the 
World. 


II. Self Regulation Is Robust and Effective 

lAB strongly supports industry self-regulation and leading business practices as the most 
effective framework to provide transparency and choice to consumers. Such a framework 
will nurture the continued development of innovative offerings online. To this end, we 
believe that self-regulation inherently possesses features that make such an approach 
more effective than any legislation that might seek to govern the online ecosystem. 
Entities and their associations are best situated on the frontlines to interface with 
consumers and evaluate their experiences online. In response to any harm that consumers 
may experience, industry is uniquely positioned to respond swiftly to rapidly evolving 
online technological advances and consumer expectations with self-regulatory programs 
and best practices that carefully balance restrictions on the use of information with the 
significant benefits that such uses provide to consumers. Unlike self-regulation, 
legislation runs the risk of codifying outdated practices for decades to come whereas 
best business practices and self-regulatory programs can quickly evolve to address the 
dynamic online environment. 


1 
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Industry has ample experience and a strong track record of navigating and promoting best 
practices online that provide for a variety of effective choices to consumers. These 
practices have been embodied in numerous self-regulatory frameworks in both the 
advertising and online privacy arenas. Among the most successful examples of effective 
self-regulation are guidelines and standards of organizations including the Council of 
Better Business Bureaus’ National Advertising Review Council, the Direct Marketing 
Association, the Network Advertising Initiative, TRUSTe, the AICPA’s WebTrust, and 
BBBOnline. These organizations and programs have many years of experience in 
developing flexible and effective best practices and standards that protect consumers’ 
privacy online. 

As a recent and very important example, in July 2009 TAB partnered with the American 
Association of Advertising Agencies, the Association of National Advertisers, the Direct 
Marketing Association, and the Council of Better Business Bureaus to develop robust 
self-regulatory 

principles that provide enhanced transparency and consumer control in online behavioral 
advertising.' We provided the Subcommittee with a copy of the Self-Regulatory 
Principles for Online Behavioral Advertising upon its release. Since that time, the 
associations have been working to implement these principles, placing a significant focus 
on providing enhanced notice to consumers in the form of an industry-developed icon 
and wording that will be used to demonstrate adherence to the industry principles for 
online behavioral advertising.^ There have been tremendous developments in this area 
and any legislation should encourage such efforts, and not limit their development. 

Self-regulation in the online behavioral advertising arena has been recognized by the 
Federal Trade Commission (“FTC” or “Commission”) as the correct approach in this 
area. The Commission reached this conclusion after several years of focused study in the 
area. In the Commission’s Febraary 2009 Staff Report on Self-Regulatory Principles for 
Online Behavioral Advertising, the Commission indicated that “[s]taff supported self- 
regulation because it provides the necessary flexibility to address evolving online 
business models.”^ To this end, the report continued on to note that “in issuing the 
proposed Principles, staff intended to guide industry in developing more meaningful and 
effective self-regulatory models....”^ The principles that lAB and the associations have 
set forth in the Self-Regulatory Principles for Online Behavioral Advertising are 
consistent with the framework espoused by the Commission and the timeliness of 
their release demonstrates industry’s commitment to serving as a responsible actor online. 


American Association of Advertising Agencies. Association of National Advertisers, Direct Marketing 
Association, Interactive Advertising Bureau, and Council of Better Business Bureaus, Self-Regulatory 
Principles for Online Behavioral Advertising (July 2009), available at http://ww\v.iab.net/media/ille/ven- 
^nncipleS"Q7-0 1 -09.pdf . 

Press Release, lAB and NAI Release Technical Specifications for Enhanced Notice to Consumers for 
Online Behavioral Advertising: Critical Step in Interactive Industry’s Ongoing Self-Regulatory Efforts 
(Apr. 14, 2010), available at 

http://wmv.iab.net/about the iab/recent press releascs/prcss release archivc/press re!ease/pr-Q414 10 . 

3 

FTC Staff Report; Self-Regulatory Principles For Online Behavioral Advertising, at 1 1 (February 2009) 
(hereinafter Staff Report), available at http://vvwvv.flc,gov/os/2009/02/P085400behavadreport.pdr . 
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III. Interactive Advertising Is Important to the U.S. Economy 

As the FTC stated in its Staff Report, “Consumers have genuine and legitimate concerns 
about how their data is collected, stored, and used online. They may also benefit, 
however, from the free content that online advertising generally supports, 
as well as the personalization of advertising that many consumers appear to value.”* 
Indeed, the scope of that value is breathtaking. 

Interactive advertising is responsible for $300 billion of economic activity in the United 
States, or roughly 2% of Gross Domestic Product, according to a study released last year 
by the lAB and undertaken by Harvard Business School Professors ,Iohn Deighton and 
John Quelch, along with Cambridge, MA-based Hamilton Consultants. The study was 
designed to provide an impartial and comprehensive review of the entire Internet 
economy and answer questions about its size, what comprises it, and the economic and 
social benefits Americans derive from it. 

Professors Deighton and Quelch found that the advertising-supported Internet employs 
1.2 million people directly in jobs that build or maintain the infrastructure, facilitate its 
use, or conduct advertising and commerce on that infrastructure. Under the reasonable 
assumption that each Internet job supports an additional 1 .54 jobs elsewhere in the 
economy, then 3.05 million, or roughly 2 percent, of employed Americans owe their 
employment to the advertising-supported Internet. 

Internet jobs are widely dispersed across the United States. Every one of the 435 U. S. 
Congressional districts contains at least 17 Internet employees. Some districts support as 
many as 6,500, and twenty- four districts have at least 1,000 identified Internet 
employees. 

For the 19 states represented on the Subcommittee, our industry contributes over $218 
billion in revenue annually and is responsible for the employment of over 2.6 million 
people. 

Some 20,000 small businesses operate on the Internet. The online auction site eBay alone 
is the primary source of income for 120,000 individuals who earn their living as sellers; 
another 500,000 men and women have part-time businesses on eBay. A 2009 Wall Street 
Journal report estimates that nearly half a million individuals may make their living as 
“bloggers,” or small publishers of online content. 

At work and at leisure, about 190 million people in the United States spend, on average, 
68 hours a month on the Internet. This is unsurprising, for the Internet is a vast treasury 
of quality content, such as news, business information, entertainment, maps, and self-help 
resources. Education and information-gathering tools, including search engines, have 
undoubtedly democratized the availability and accessibility of educational content. The 


^ Id. at 7. 
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Web is a communications lifeline for an enormous number of people. There are an 
estimated 1 billion users of free email services worldwide. Some 100 million Americans 
keep in touch with family and friends through social networking sites. Last November, 
124 million Americans viewed 9.5 billion videos online that were uploaded by others. 

All of these services, information, and entertainment are free. Although, as you and I 
know, they are not really free: They are supported by advertising. 

This is not surprising. From the early 19* Century, advertising has been at the center of a 
vital value exchange between businesses and consumers. We provide quality news, 
information, entertainment, and other services, in return for which consumers give us 
their time and attention. That time and attention, in turn, allows businesses to 
communicate the availability of goods and services to consumers and customers. 
Advertising is the heart of the U.S. consumer economy. 

Given the centrality of the Internet to Americans’ lives, it’s natural that advertising has 
grown to become the medium’s primary financial support. In 2002, advertising 
contributed 7 percent of the $78 billion paid for Internet services to the U.S, economy. In 
just seven years, while the value of the Internet has doubled, advertising has increased 
fourfold and its contribution to the pool of funding for the Internet has grown to 1 1 
percent. Advertising is the only Internet funding source that has shouldered more of the 
burden tlian seven years ago. Online interactive advertising has substantially reduced 
what consumers have had to pay for e-commerce products and services. 


W. Regulation Presents Risks 

The interactive advertising industry continues to grow and provide greater benefits to 
consumers. In the first quarter of 2010 alone, interactive advertising revenues in the 
United States hit nearly $6 billion. This shows a 7.5% revenue growth over the first 
quarter of 2009, despite a difficult economy, and at a time when overall advertising 
spending was decreasing.* You might think that a medium so wildly popular and so 
useful for so many people would be strong enough to withstand any and all challenges. 
But the interactive advertising ecosystem is fragile. In their report, Professors Deighton 
and Quelch caution against inappropriate “restrictions on advertising or use of individual- 
user data [which] could undermine the effectiveness of major elements of the Internet,”’ 
The components of the ecosystem that they believe could be compromised include: 

• The ad-supported search engines and many content sites that provide information, 
entertainment, news, and social networking; 


** QI ‘10 Internet Advertising Revenue Press Release, lAB Internet Advertising Revenue Report conducted 
by PricewaterhouseCoopers (May 13, 2010), available at 

http:,ywrvw. iab.net/about the iab/recent press releases/press release archive/press release/pr-0S1310 . 

’ Hamilton Consultants, Inc., with Dr. John Deighton, Harvard Business Schooi, and Dr. John Quelch, 
Harvard Business School. Economic Value of the Advertising-Supported Internet Ecosystem, at 9 (June 1 0, 
2009), available at http:,'/\vww.iab.net/mediatrile/Economic-Value-Report.t>df . 
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® The enterprise websites created by companies and other institutions that 
increasingly are able to individualize the messages; and 
• The e-commerce companies that use data to personalize offers to current 
customers. 

As a representative of the interactive advertising industry, 1 too share their concerns. 
Some of the proposals we have seen from advocacy groups and the legislative proposals 
being considered today could unintentionally cause material harm to the existing 
interactive advertising industry, and impede our industry’s growth and constrain the 
services and content that are currently provided to consumers, largely free of charge. 


V. H.R. 5777 Represents Significant Progress in the Privacy Debate 

A. Industry Self-Regulation Remains the Most Effective Framework for 
Protecting Consumers 

I’d like to commend the Chairman for recognizing the value and importance of a strong 
self-regulatory program. As mentioned earlier in my testimony, industry has been 
working diligently these past twelve months to set-up a self-regulatory regime that 
encompasses the entire online ecosystem, from publishers to service providers. I’m 
pleased to see that some of the Principles first proposed by the FTC and subsequently 
adopted by the self-regulatory program are incorporated here in Title IV of H.R. 5777.* 
However, this is a complicated process and I believe that further refinements to the 
language can be made to make it compatible with the FTC’s and industry’s existing 
work. 

I believe that the incorporation of Title IV in this legislation is truly a testament to the 
hard work and progress industry has made in this area. While I applaud the Chairman’s 
inclusion of Title IV, I would like to briefly note some of the incredible complexities and 
unintended consequences that can arise when attempting to legislatively proscribe 
practices that do not conform to existing business models, and limit flexibility to develop 
new models. 

As the online advertising business model currently exists, most advertisements being 
served on publisher websites are in fact being served by third party companies, such as ad 
networks. Third party ad-serving platforms, such as Doubleclick and Atlas, deliver 
almost 90% of the display advertisements seen online. Virtually all small publishers - the 
ad-supported sites and blogs too specialized to afford their own sales staffs - sell and 
place ads via online advertising networks like Burst Media and Advertising.com. Since 
these ad networks are largely responsible for the serving of ads that appear on publisher 
websites, and data collection, they are best situated to provide consumers with options 


‘ Two key Principles of the Self-Regulatory Principles for Online Behavioral Advertising include 
Consumer Control and Accountability, which are both addressed under Title IV; §403, 1 A references a 
“clear and conspicuous opt-out mechanism” (i.e. Consumer Control) and §403 2C acknowledges the 
realization that “accountability and compliance testing is important.” 
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regarding notices of data collection as well as choices as to how that data is being used. 
However, a.s currently drafted, H.R. 5777 does not fully consider the role that these types 
of third parties play in the online advertising space, and instead focuses on data collection 
being done by a first party, i.e. a publisher.® This type of requirement does not reflect the 
true nature of how data is collected and used in the online marketplace. Given the 
incredible technological intricacies of the online advertising marketplace, it can be very 
easy to miss such seemingly trivial, but critical nuances. 

B. A Flexible Notice Requirement Is Key for Keeping Consumers 
Informed and Engaged 

It is no secret that it has become harder and harder to get consumers to pay attention to 
privacy policies. Privacy notices and policies seem to have proliferated in both the online 
and offline worlds over the past ten years, and industry has evolved to become 
increasingly more creative in catching consumers’ attention. It would be fair to say at this 
point consumers are feeling inundated with potentially confusing privacy notices, ® The 
presence of Section 1 02 (F) - that the FTC should consider “the risk to consumers and 
commerce of over-notification” - demonstrates that the Chairman is aware that this 
practice may not in some instances serve consumers well. We commend the Chairman for 
this recognition and believe that Title 1 of H.R. 5777 takes a progressive and innovative 
approach in recognizing that when it comes to privacy notices, one size does not 
necessarily fit all." The FTC Report urged industry to seek ways to provide consumer 
notice outside of the privacy policy. This provision has been fully embraced by the cross 
industry self-regulatory group and we have established new and innovative ways to 
deliver more easily identifiable and understandable notice to consumers. I applaud the 
Chairman’s inclusion of language that would allow for innovation in this area, giving 
industry the opportunity to do what the advertising industry does best - get consumer 
attention - and hope that as this draft is considered that it will move even further towards 
this flexible, effective standard. 


VI. H.R. 5777 and the Boucher Proposal Could Limit Critical Existing Business 
Models 

A. H.R. 5777 and the Boucher Proposal Impact the Relationship Between 
First-Party Publishers and Their Customers 


^ Title IV, §403 i A, as drafted, appears to only cover the transfer of data from a “first-party” (i.e. publisher) 
to a “third party” - it does not appear to cover scenarios where a third party (i.e. ad network) is collecting 
the data. 

A bill currently in the Senate Committee on Banking, Housing and Urban Affairs entitled the “Eliminate 
Privacy Notice Confusion Act” (H.R. 3506) would amend the Gramm-Leach-Bliley Act to provide an 
exception from the continuing requirement for annual privacy notices for financial institutions in limited 
circumstances. One of the rationales behind the bill has been that consumers are becoming desensitized to 
privacy policy notices. 

' ' § 102 (b) of Title I, “Provision of Notice or Notices” allows for the FTC to promulgate regulations that 
would allow for variations in how notice could be delivered, i.e. variation.s based on type of media being 
employed, whether a short notice or limited disclosure would be more appropriate, etc. 
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H.R. 5777 and the Boucher proposal both envision imposing opt-out requirements on first 
parties that would impact the relationship between customers and publishers. Consumers 
are aware of, and significantly benefit from, use of infonnation from first-party sites. 
Many consumers also enjoy personalized webpages when they return to a website with 
which they have had a previous interaction and perhaps an ongoing relationship {e.g., 
personalized websites for consumers that frequent online retail ecommerce sites). People 
visit such sites with the expectation of exchanging information in order to benefit from 
the sites’ online offerings. 

When the FTC first began exploring the issue of how first parties should be treated in the 
online behavioral advertising context, it initially proposed a similar standard to the one 
set forth in H.R. 5777 and the Boucher proposal. ^ After reviewing feedback on the 
proposed principle, however, the Commission determined that the principles should 
exclude first parties and avoid getting in the middle of first parties and consumers.'^ The 
FTC reasoned that ‘“first party’ behavioral advertising practices are more likely to be 
consistent with consumer expectations, and less likely to lead to consumer harm”''* and 
that “given the direct relationship between the consumer and the website, the consumer is 
likely to understand why he has received the targeted recommendation or advertisement 
and indeed may expect it.'^” 

I encourage the bill sponsor to adopt language in this area that incorporates the FTC’s 
findings and allows the first-party/consumer relationship to remain strong and vibrant. 
This principle could, for example also be included within the self-regulatory provisions 
of the bill. 


B. We Support Applying an Opt-Out Standard to Sharing with 
Unaffiliated Third-Party Publishers 

H.R. 5777 and the Boucher proposal would impact online information flow by restricting 
transfers of information to unaffiliated third-party publishers. lAB members have long 
adhered to the principle of providing choice to consumers through opt-outs for the 
transfer of data to third parties for advertising and marketing purposes. We believe that 
such a standard is critical any legislation in this area. 

As recognized in the Executive Summary of the Boucher proposal, online advertising 
supports much of today’s online commercial content, applications, and services that are 
available for free. In addition, Congressman Boucher has many times publically stated 
that consumers generally do not “opt-in” or “opt-out” of information sharing and 
advertising. In the experience of our members, only those few individuals, sometimes 
called the “privacy fundamentalists,” opt-out. Thus, requiring consumers to opt-in to 


See FTC Staff Report: Self-Regulatory Principles For Online Behavioral Advertising (February 2009) 
(hereinafter Staff Report), available at http://www2.ftc.gOv/os/2009/02/P085400behavadreport.pdf 
Id. at 46. 

” Id at 26. 

” Id at 27. 
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transfers to third parties would drastically reduce the free flow of information that is the 
heart and soul of today’s Internet offerings. Currently, information is collected in a 
seamless manner that does not interrupt a consumer’s online experience. Changes to the 
system proposed in H.R. 5777 and the Boucher proposal would turn the Internet from a 
fast-moving information highway to a slow-moving toll-road. Such a move would hinder, 
not facilitate ecommerce. We stand ready to help craft a consumer choice standard that 
would preserve this important source of revenue upon which the Internet depends, 

C. The Scope of “Sensitive Data” in H.R. 5777 and the Boucher Proposal 
Is Too Broad 

We have reservations about the broad scope of the term “sensitive information” contained 
in these legislative proposals. The proposed definition extends beyond the data identified 
as sensitive by the FTC.'*’ We can all agree that subsets of the enumerated areas should 
be subject to heightened standards. However, this is a complicated area that should be 
studied and requires further refinement. 

This provision would restrict multicultural marketing and media. The definition of 
“sensitive information” includes online communications to ethnic, racial, and religious 
minority audiences and places an opt in requirement for marketing to these audiences. 
Latino, African-American, and Asian-oriented Web sites would certainly be prevented 
from providing media kits to or delivering customized content or advertising on behalf of 
the agencies that place ads on their sites. While certainly not intended, we are concerned 
that these types of services provide great benefit to these audiences and the proposed 
restrictions would unintentionally harm the very groups of people they seek to protect. 

D. H.R. 5777’s Private Right of Action Is Unnecessary 

We are very concerned with H.R. 5777’s inclusion of a statutory private right of action in 
this area. I am not aware of any instances of a consumer being economically harmed by 
the collection or misuse of any data collected for online advertising purposes. The 
chilling effect on legitimate commerce in this area that could result from a private cause 
of action should not be overlooked. 

Title VI of H.R. 5777 allows for multi-enforcement efforts by both the Federal Trade 
Commission as well as state attorneys general. Given their extensive expertise and 
experience in investigation and enforcement, the FTC and state attorneys general are 
well-positioned to handle any potential complaints. In particular, the thousands and 
thousands of small and medium-sized websites that don’t have the capacity to deal with 
the uncertainly and expense of defending themselves against a barrage of lawsuits that 
may be meritless. 


Id. at 43-44. 
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E. An Access and Correction Regime Is Unwarranted In This 

Environment 

Given that online advertising data is largely anonymous in nature, a legislative 
standard calling for “access and correction” databases is both unnecessary and workable. 
Unlike information governed by the Fair Credit Reporting Act, data being used for online 
advertising purposes is generally information that involves clickstreams, cookies, 
dynamic IP addresses - essentially, pieces of information that amount to long streams of 
text or code that aren’t identifiable to an individual. They don’t include names, addresses, 
social security number, financial account numbers, balances owed, credit limits, etc. Most 
third parties in this ecosystem do not know what individual is associated with a certain 
cookie or clickstream - pragmatically speaking, if they cannot identify an individual, they 
cannot offer opportunities for access or correction to information about that individual. 
Thus, this provision would unintentionally create a perverse incentive for companies to 
collect more personally identifiable information than they currently do in order to 
comply. 

Setting aside these pragmatic concerns for a moment, another question raised by the 
access and correction language in H.R. 5777 is the question of what harm is possible 
based on an online mai'keter, publisher, or network collecting clickstream data about the 
fact that a consumer likes blue shirts vs. red shirts. While the access and correction 
language included in Title II of H.R. 5777 may serve a demonstrable purpose in other 
regimes, where misuse of information could result in an individual may being denied 
employment or access to credit, we are concerned that it is an overly burdensome 
standard in the collection and use of data for online advertising. The use of information 
for making critical determinations such employment or credit are already strictly 
governed by other laws. If there are similar potential misuses of information that 
necessitate such a standard, these uses should be specifically enumerated and considered 
on their merits rather than such a general requirement that would impact so many 
millions of businesses of all sizes. 


VII. Conclusion 

Thank you for considering the views of the lAB on these issues. The success of the 
Internet has helped fuel this country’s economy and it is important to ensure that this 
medium can continue to grow and thrive. We look forward to working with members of 
the Subcommittee as they consider privacy proposals and the legislative process moves 
forw'ard. 
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Mr. Rush. The Chair wants to thank all of the witnesses for your 
outstanding testimony today. A vote now occurs on the floor of the 
House of Representatives. There are two votes — should be probably 
about 30 minutes or more — around 30 minutes, so it is the Chair’s 
intention to recess the Subcommittee and to reconvene immediately 
after the last vote takes place. So it will be about half an hour. So 
I apologize for the interruption of this hearing, but we will be back 
as soon as we can. The Subcommittee now stands in recess. 

[Recess.] 

Mr. Rush. The Committee will reconvene, return to order. The 
Chairman recognizes himself for 5 minutes for the purposes of 
questioning the witnesses. 

Mr. Hoffman, I was interested in your testimony, and in your 
testimony you highlighted the importance of providing FTC rule- 
making authorities to flesh out certain requirements in the Best 
Practices Act and to adapt the bill’s provisions to changes in tech- 
nology. Other stakeholders have raised concerns that providing 
FTC with this type of rulemaking authority in the bill will create 
enormous regulatory uncertainty that is bad for commerce. 

What are your thoughts on this? If FTC does not provide a rule- 
making authority, will the bill quickly become outdated? Are you 
concerned about regulatory uncertainty and would you answer 
those questions for me, please? 

Mr. Hoffman. We think the Best Practices Act does an excellent 
job of not just providing rulemaking authority to the FTC, but 
guiding that rulemaking authority by certain criteria that should 
have to shape the regulations that would emanate from the FTC. 
Our perspective when we look at privacy legislation is to allow pri- 
vacy to continue to actually aid innovation instead of impede inno- 
vation. 

Individual pieces of legislation need to be technologically neutral 
to allow for the enforcement agencies to apply those principles to 
the individual new business models when they come up and to pro- 
vide guidance in that way. The FTC has been an absolute leader 
in doing that for the past decade. 

Mr. Wadeck mentioned the various methods that they have used 
to do that with the different enforcement actions that they have 
taken, plus the round tables that they have held, and how they 
have communicated with industry and academics. We think that 
the Best Practices Act balances those different interests very well. 

Mr. Rush. Ms. Harris, is the importance to FTC rulemaking 
the — in this act just for consumers and is it just for business also? 

Ms. Harris. We think so. You are always — when you are writing 
a bill like this you can be highly specific, and the bill will lock in 
today’s business practices, it will not have the flexibility that you 
need for business practices that we haven’t seen, and it will not 
allow the law to basically live in a way that will address business 
practices we haven’t seen. Giving the FTC very specific rulemaking 
authority here first of all allows them to take into account the dif- 
ferent kinds of business models and technologies that we are deal- 
ing with, but it also, I think, allows over time for modifications de- 
pending on changed circumstances. So yes, we think FTC rule- 
making is essential here. 
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Mr. Rush. In past legislation the third party or unaffiliated party 
has been defined based on the corporate structure of an entity, 
such as common ownership or corporate control. And during this 
hearing and in other sidebar conversations we have heard concerns 
that consumers may not understand which entities are subsidi- 
aries, affiliates, parent corporations, or otherwise under common 
control with another company. On the other hand, corporate struc- 
turing is known and we do not know — we don’t want to draw an 
arbitrary line. 

Ms. Harris and Mr. Mierzwinski, do you believe that consumers 
may have difficulty understanding when entities are related by 
common ownership or control? Should privacy matter? Should pri- 
vacy legislation take into account the best reasonable expectations 
of the consumer as this act does? And is this a workable definition? 
Lastly I — ^you can answer these three questions in the manner that 
you would choose to. Lastly, what are the benefits of an approach 
based on common ownership or control and does it provide compa- 
nies with more clarity? Those are a series of questions. I hope you 
can kind of summarize the questions in your answers. 

Ms. Harris. I am going to let Ed go first. 

Mr. Mierzwinski. Oh, thank you. Chairman Rush, and I think 
I want to commend you on your provision recognizing the artificial 
distinction of this corporate common control. Consumers don’t have 
any idea that their bank owns some hundreds or thousands of 
other affiliated entities. And the Internet has a number of 
networked companies that are the same way. So going to an activi- 
ties based definition rather than a corporate ownership definition, 
we support that, and I think it is much closer to consumer expecta- 
tions that except for the company you are doing business with, 
pretty much everyone else is a third party. 

Ms. Harris. So I generally agree. I do think that your bill prob- 
ably gets it as close to right as you can because it is a complicated 
issue. I am glad that there is some room for FTC rulemaking on 
that provision. The key question here is would a consumer under 
reasonable circumstances believe that they are dealing with an en- 
tity that is under common control. And I really think that that is 
probably — has to do with common branding. I think most of us 
know that GAP and Banana Republic and Old Navy and a whole 
set of companies are sort of one. But given a sort of large multi- 
national that owns many, many, many different lines of business, 
we have to keep that very narrow in the interest of the consumer 
and I think you’ve done that. 

Mr. Rush. The Chairman’s time is concluded. Now the Chairman 
acknowledges Mr. Whitfield for 5 minutes. 

Mr. Whitfield. I thank all of you for your testimony and trying 
to balance protecting privacy versus generating revenue for adver- 
tising to keep the Internet the vibrant marketplace that it is — 
searching browsing history of a particular person, and can some of 
you, maybe Ms. Harris or Mr. Mierzwinski, identify for me the pri- 
vacy concerns with the anonymous monitoring of web browsing his- 
tory, and should that require the same level of consent as using in- 
formation like Social Security number, bank account numbers and 
so forth, and just give me your perspective on the differences there- 
in. 
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Ms. Harris. Mr. Whitfield, the way that they are able to collect 
discrete pieces of browsing history is usually to tie them together 
with an IP address. In that instance companies can pull them to- 
gether into profiles, and they can be put together with information 
to identify the consumer. So in the technological environment that 
we are in now, the ability to bring discrete pieces of information 
together into an identifiable profile is simply much easier. I think 
that there is a conversation to be had wherein where you draw the 
line and — but I think that that is something that has changed dra- 
matically from, you know, the first time that privacy legislation 
was introduced in Congress. 

Mr. Mierzwinski. Mr. Whitfield, I would agree and I would say 
that from my perspective one of the strongest pieces of both bills 
is that IP addresses insensitive information. We are concerned that 
de-identified or supposedly anonymous information can be repack- 
aged back together. There are numerous examples of that hap- 
pening, and I would also point out that a recent complaint by U.S. 
PIRG, the Center for U.S. Democracy, and other groups talks about 
just how easy it is and how the technology has changed in the last 
few years that consumers are being sold on a real time basis now. 
They are not compiling dossiers that take even half an hour to 
compile. The ads are being served instantly. They are being bro- 
kered to the highest bidder. It is very sophisticated, and little bits 
of information can add up very quickly. 

Mr. Whitfield. Mr. Zaneis, would you like to comment on this? 

Mr. Zaneis. Yes, thank you very much, appreciate the oppor- 
tunity. I think Congress has to be careful not to try to legislate the 
possible, or the theoretical, and to understand the business model. 
And here I actually disagree slightly with Leslie. It is not that VAS 
or predominant business model to tie click stream data back to per- 
sonally identifiable information — certainly not in the online adver- 
tising space. In fact many of the ad networks specifically — adver- 
tising networks deliver some 90 percent of all ads online. They are 
generally third part by nature. Their business model generally is 
not to try to tie it back to what we would traditionally think of as 
personally identifiable information. Certainly there is a lot that is 
possible through technology, but I don’t think we can legislate the 
possible. We ought to be looking at actual business models, and I 
think that when we look at H.R. 5777 it actually gets closer under 
their definition of covered information to what we ought to be fo- 
cusing on, which is things that are actually personally identifiable, 
not sort of anonymous in nature. 

Mr. Whitfield. And Mr. Rubinstein, since you are an academic 
here, do you have any comments on this? We always value aca- 
demics’ thoughts. 

Mr. Rubinstein. Thank you, Mr. Whitfield. I would think I 
would just add that it is important not to think of anonymous data 
as just a binary category, that it is — data is either anonymous or 
it is not anonymous. And the emphasis might be on specific con- 
text, so how much data is being assembled and what is the quan- 
tity of data? Is it being publicly shared or privately shared? What 
is the specific context? Rather than try to get at this through defi- 
nitions that have just a black and white aspect to them. 
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Mr. Hoffman. I would just like to add one point on that — to 
that. I think the current draft of the Best Practices Act actually 
recognizes that reality that Professor Rubinstein is commenting on. 
As an employee of a technology company there are a number of 
unique identifiers in hardware and software that are used on most 
computing platforms. What is happening in reality — Mr. Zaneis’ 
point is a very good one. We need to look at the realities. It is some 
of those unique identifiers that are used and apt to correlate to a 
lot of this data that could be described sometimes as personally 
identifiable information. Others might say no, it is only identifying 
a particular device or a particularly device at a point in time. That 
is why I actually think the definition of preference profile which is 
saying that it is a list of preferences associated with an individual 
or with an individual’s computer or other device, but then tying 
that to allow exception for participation in a choice program is an 
excellent way to navigate the issues that even if something is not 
completely identifiable to a particular individual it still could have 
the great potential to impact an individual. 

Mr. Whitfield. Thank you. I see my time has already expired. 

Mr. Rush. The Chair now recognizes Mr. Space. 

Mr. Space. I won’t need fifteen, Mr. Chairman. In fact, I won’t 
even need five, but thank you. I really don’t have any questions 
having come in after the votes and after the testimony, but I do 
want to express my appreciation to Chairman, and to the Ranking 
Member for the deliberate process that we have undertaken in ex- 
amining, reviewing, and modifying issues relating to privacy when 
it comes to access to the Internet and broadband generally. I think 
that having all the stakeholders present and participating in this 
discussion is very, very important and we see that today. We have 
seen it in the past, and we will see it in the future whether it is 
academia, industry, govern officials, consumer advocacy groups — all 
of those stakeholders deserve a place at the table and our Chair- 
man and the Ranking Member have offered them that. 

So I want to thank the witnesses today, thank you, Mr. Chair- 
man, and the Ranking Member for again such a deliberate a thor- 
ough analysis of an issue that is becoming increasingly important 
as we see the role of broadband integrated into virtually all aspects 
of our lives. And I yield back my time. 

Mr. Rush. The Chair thanks the gentleman for his kind remarks. 
And the Chair will now entertain a second round of questions, and 
with that in mind, the Chair recognizes himself for 5 minutes. 

This question is addressed to Mr. Vladeck and Mr. Zaneis. Sec- 
tion 303 of the Act says some entities using covert information or 
sensitive information for any purpose for as long they are in — ^busi- 
ness or in law enforcement need. Is our rebuttal presumption — is 
it too vague? What would be wrong with setting a date certain re- 
strictions say in six months or a year? 

Mr. Vladeck. Mike, do you want to go first? 

Mr. Zaneis. No, you go ahead. 

Mr. Vladeck. The Commission has not taken a position on any 
of these issues and we would like the opportunity to comment later 
on once we have had a fuller opportunity to look at this. Just gen- 
erally, you know, we believe that certain kinds of information 
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ought to be subject to heightened protection. And so that is, you 
know, the Commission has made that clear in other context. 

Mr. Zaneis. We are going to figure this out. Luckily I represent 
the advertising industry so I know how to get my message heard 
even when people don’t want to hear it. I think Section 303 — I 
think one size fits all doesn’t always make sense in the online 
space. What you see here is a diversity of opinions, but what we 
see in the industry is a diversity of business models. And some- 
times they may need to keep information for different purposes, 
and what is a legitimate business purpose I think differs, so you 
know, I want to take that back to my members and see if it is 
something that they are going to be supportive of or if there is 
some refinements we need to make. But as we have seen around 
things like consumer notice and other areas, a one size fits all isn’t 
always the best approach, but we are willing to look at that and 
work with the Committee and you, Mr. Chairman, on that. 

Mr. Rush. Mr. Rubinstein, would you chime in on this with your 
opinion, please? 

Mr. Rubinstein. I would generally agree that having different 
time periods for different types of data or different purposes is a 
good idea rather than a single limit. I think the one thing that 
Congress should worry about, though, is companies that would re- 
tain data simply because they might have some use of it in the fu- 
ture. So where it is that non-specific and it is just a future business 
possibility, I don’t think that is a sufficient reason for some unlim- 
ited period of retention. 

Mr. Rush. Mr. Rubinstein and Mr. Mierzwinski suggested in 
their testimony that this safe harbor in H.R. 5777 in several ways. 
I am going to ask both gentlemen what specific recommendations 
do you have for structuring the safe harbor provisions? 

Mr. Mierzwinski. Thank you, Mr. Rush. I think the bill as cur- 
rently structured captures the key point that I emphasized about 
having a mix of carrots and sticks, and that the Private Right of 
Action serves as a very significant stick or incentive for businesses 
to join. I think the one thing that I would call attention to, though, 
is whether the safe harbor choice program has a strong enough em- 
phasis on high performance standards. And that is why I empha- 
sized data governance practices such as appointing a chief privacy 
officer or having privacy by design methodologies so that there are 
other standards that a choice participant lives up to which in effect 
entitles them to the exemptions that they enjoy under the choice 
program. And I think the question then is how to best balance that 
mix of exemptions on the one hand that serve as incentives to join 
while ensuring that only companies engaged in a very high level 
of privacy protection are then entitled. Finally I would point to the 
desirability having some form of public consultation as part of this 
process and one way to do that might be for a choice program as 
part of their application for approval to indicate what type of public 
consultation they have engaged in. Have they met with advocacy 
groups, have they met with the public, if so how have they ad- 
dressed concerns that those groups have raised. If they haven’t ad- 
dressed them, why not. So that all is transparent and available to 
the FTC in making its evaluation of the choice program. 
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Mr. Mierzwinski. Mr. Chairman, I would add to that that I 
think our concern is that many self-regulatory programs whether 
under the Securities and Exchange Commission, whether under the 
FTC, or other agencies, they work best when they have a robust 
legal standard, robust statutory framework underneath. And rely- 
ing on the companies themselves and rule making only by the FTC 
is usually not good enough. And we would urge you to consider 
strengthening the Federal Trade Commission’s monitoring of the 
choice program and the accountability mechanisms in there. And to 
do that of course, we would also support strengthening the Federal 
Trade Commission in general if they need additional resources to 
do those kind of things. 

Mr. Rush. My time is up. The Chairman recognizes the Ranking 
Member. 

Mr. Whitfield. Thank you. Is there anyone on the panel other 
than Mr. Goldman that believes there should not be private right 
of action? OK. 

Mr. Hoffman. Intel does not support a private right of action. 
We think that it — in the context of privacy in the great percentage 
of situations the individual actually does not even potentially know 
that they have been harmed, and they don’t know who actually has 
caused the harm until after. We think that the best use of re- 
sources is to focus on mechanisms like the choice program in a way 
that was just articulated. It really — to vote those resources to orga- 
nizations putting into place robust accountability mechanisms into 
their compliance programs that way we will avoid the breaches be- 
fore they even happen. 

Mr. Zaneis. And I won’t take up much of your time. I couldn’t 
agree more. I would just say then I think what we might want to 
focus on legislatively is strengthening the Federal Trade Commis- 
sion and their enforcement, and more resources, more cops on the 
beat I think would be a good thing in this area. 

Mr. Whitfield. I am certainly not an expert in this area. In fact, 
I am far from it, but I have read that the OECD’s privacy protec- 
tion rules, guidelines for privacy protection are some of the most 
stringent in the world. Is that your understanding as well — most 
of you? Do you understand that to be true? 

Mr. Mierzwinski. I would just say it is — the understanding in 
privacy that they are the most robust implementation of the Fair 
Information Practices that were actually first developed by a U.S. 
Regulatory Committee, but how they are implemented in law is dif- 
ferent in different places. And I would say the only U.S. law that 
comes close to implementing them in a very strong way is some- 
thing called the Fair Credit Reporting Act which regulates credit 
bureaus. Other laws rely on a much weaker version on the FIPs. 

Mr. Whitfield. Well, we — if we were to adopt the OECD prin- 
ciples basically would you support that or 

Mr. Mierzwinski. Oh absolutely, and I want to say that both 
bills adopt parts of it. And in fact the Best Practices bill adopts 
quite a bit of the Fair Information Practices. We think we can go 
further with purpose, specificity, data minimization, data retention, 
and again accountability that is giving more rights to the data sub- 
jects. 
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Ms. Harris. Mr. Whitfield, I just — I want to agree that a strong 
set of Fair Information Practices and certainly the OECD is sort 
of the foundational in the United States. The Department of Home- 
land Security issued a set a few years ago that I think are you 
know perhaps captures some of the more modern concerns just a 
little bit that basically the bill really needs to include them all. 
That we have spent a long time focusing on you know opt-in, opt- 
out consent from the consumer, and when that is all you have in 
a bill, then you are pretty much telling the consumer that they 
have got to figure it out. They have to read privacy policies, they 
have got to understand it, and that the companies don’t have any 
substantive obligations, l^en you include data minimization, et 
cetera, then you are putting real limits and the companies have to 
decide how to handle those. 

Mr. Whitfield. Mr. Mierzwinski — oh I am sorry, go ahead. 

Mr. Zaneis. Sorry, I just — I want to be sure that the Chairman 
and you. Ranking Member Whitfield understand that there is a lot 
of Fair Information Practices in — certainly in H.R. 5777. I — you are 
talking about notice, and choice, and data security, and accuracy. 
These are Fair Information Practice principles. That does not mean 
you need all of them in a bill about things like marketing data- 
bases. In our written testimony we go into the access and correc- 
tion provisions and the reality there is what we are talking about 
in some of these marketing databases are strings, user agent 
strings which are nothing more than computers talking to com- 
puters telling you what for instance operating system a computer — 
a person is using to go to a site. This is used to render the content 
readable to the consumer. I ask you what is the, you know, what 
is the purpose in allowing correction to that type of database? It 
is gobbly-goop to the consumer, and I worry about allowing people 
to get into those databases when there is no real harm. We are not 
talking about Fair Credit Reporting Act. There you are talking 
about adverse actions against consumers, things centered around 
employment eligibility, access to credit, getting a home mortgage 
that is not what we are talking about here. 

Mr. Whitfield. May I ask one other question? 

Mr. Rush. Ms. Harris wanted to respond. 

Mr. Whitfield. Oh, I am sorry. 

Ms. Harris. I want to strongly disagree with that. Access is one 
of the key Fair Information principles. The likelihood that a con- 
sumer is going to demand access to a string of code I think you 
know if that is the concern my guess is we can figure out how to 
handle it in this Committee. But we are building larger and larger 
databases with all kinds of information and to me that is one of 
the fundamental rights that consumers have and that it needs to 
be part of this bill. 

Mr. Whitfield. In Mr. Rush’s bill in the definitions under cov- 
ered entity it simply says engaged in interstate commerce what- 
ever, whatever, whatever, and since I was in the railroad industry 
I know that when we talk about federal preemption it is from the 
business standpoint. We always loved federal preemption because 
we had some certainty in whatever state we operated in and so 
forth. And I know that a number of you would be opposed to fed- 
eral preemption in this arena. Are any of you opposed to — OK 
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Mr. Mierzwinski. We are very strongly opposed and the Best 
Practices bill is a much narrower form of preemption, but we prefer 
that federal law be a floor. 

Mr. Whitfield. What about you, Mr. Rubinstein? Do you have 
a comment on that? 

Mr. Rubinstein. I would favor a narrow form of preemption. I 
think that it does allow businesses to operate with more certainty, 
and it is extremely difficult, and costly, and not very effective to 
have to design compliance programs that vary depending on which 
state you operate in. So I think some form of preemption is a nec- 
essary aspect of this bill. 

Mr. Whitfield. Did you want to make comment, Ms. Harris? 

Ms. Harris. Yes, Mr. Whitfield, it is CDT’s position is that first 
the bill has to be good enough at the federal level to consider pre- 
emption. So you know in saying whether we support it or don’t sup- 
port it you know this is a messy process. But assuming that the 
bill provides the right degree of protection then a narrow preemp- 
tion that really covers just those covered entities and just those 
practices is something that we are comfortable with. But you know 
there is a threshold of what the bill is implying, and we do think 
that Mr. Rush’s bill gets that right. 

Mr. Whitfield. Yes, well I was assuming that if Mr. Rush 
pushed the bill through it would be all right. 

Mr. Rush. I want to get in on one of the questions, and this 
question is addressed to Mr. Goldman and Ms. Harris. In your tes- 
timony earlier you say that user ID’s and implications alone should 
not be defined as covered information. And given the fact that 
there are software passwords, guessing tools out in the market- 
place, what kind of concerns can we have? And I am kind of point- 
ing to a recent development among myself and — with myself and 
some other members of Congress. There is a certain company that 
has something they call street maps and I am really alarmed by 
these street maps. My residence has shown up on these street 
maps, and there are other members of Congress whose residence 
has shown up on these street maps and we are concerned about the 
notability (ph) especially for us protecting — protecting assets to the 
webs and Internet. What kind of harm could be visited by con- 
sumers with some of these different programs and would you re- 
spond to that Ms. Harris and Mr. Goldman about these certain 
issues? 

Mr. Goldman. I think as in our testimony I think we talked 
about how if the information is not directly linked back to the indi- 
vidual, so if it is just a password or some other kind of information 
that is not, you know, connected to your other kind of personal in- 
formation, that should not be part of the PIT. And so I think that 
is where we are at. You know, you could — theoretically you could 
have a lot of information out there. There is a lot of information 
out there. You might, for example, if you belong to a social net- 
work, you know, a social networking site you might put your name 
up there, you might created a username. You know, but it might 
not be linked back to your own name, your own personal — I guess 
whether financial or health information. So I think you know, as 
long as that is — the question is what is going to harm us in result 
from all that I think. And as we go into — our testimony also talks 
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about we are hesitant about adopting sort of new standards and 
new definitions of covered information. I think you know to the ex- 
tent that we can standardize definitions across, you know across 
bill, across state bills, and federal bills that would be a good thing. 
So if you look at personal information as defined in some of the 
state bills, some of the state data breach and privacy bills I think, 
you know we have not taken — I think there will be some support 
for that. But I have not talked to our members about that at all 
yet. 

Mr. Rush. Ms. Harris, you have a response? 

Ms. Harris. If the question is about, you know, whether we 
should be covering passwords and unique identifiers that protect 
this kind of information then I think in the right circumstances we 
should and I think that your bill does do that. 

Mr. Rush. Does any other witness want to respond? Mr. Hoff- 
man? 

Mr. Hoffman. Yes, I think it is a very good question. I think we 
find ourselves in a situation where there are a number of different 
kinds of data that while they do not point to a very specific indi- 
vidual, they might point to a device or a location or something that 
could end up impacting that individual. This is a very difficult bal- 
ance to sort out. I actually think the Best Practices Act comes very 
close to getting this as right as you possibly can. We are saying if 
you have got those kinds of identifiers whether it is a password, 
a user alias, an IP address, or something that it will be covered if 
it falls under two different categories. One would be if it relates to 
a specific individual or then if whether it is created to maintain a 
preference profile. That may not cover every way that this informa- 
tion could potentially impact an individual at some time, but I 
think that would give business enough certainty to understand 
what is being covered and would cover the great bulk of the situa- 
tions where people are concerned right now. 

Mr. Zaneis. I think the definition and some — we are in some 
ways putting the cart before the horse. The choice options that we 
identify really also matter because when you put a blanket opt-in 
for third party data usage which is the Internet — we did a survey 
earlier this year that demonstrated then over 80 percent of all on- 
line advertising campaigns used behavioral targeting or techniques. 
So when you are talking about opt-in for third party data usage, 
you are talking about the vast majority of the economic engine of 
the Internet. So it really matters what choice mechanism you give 
because the stakes really get high. Now in our self-regulatory sys- 
tem that we put out we actually followed very closely the FTC’s 
own definition which was extremely broad and included, you know, 
sort of all data used for behavioral advertising — online behavioral 
advertising. But because we had an opt-out requirement instead of 
an opt-in, it was something that our industry at least — I can speak 
for us, we could live with that. We could live with the broader defi- 
nition if we got the choice mechanism right. So I think they all 
kind of, you know — this is a holistic bill and the different provi- 
sions really have to work together. You have had great staff work 
to put this together and we just need to be cognizant of that, and 
we stand ready to work through those issues with you. 

Mr. Rush. Do you have any additional questions? 
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Mr. Whitfield. I will just make one other comment. We are in 
a little bit of a debate about adopting a fully opt-in system in the — 
we have heard some people say whether it would significantly im- 
pact e-commerce in a negative way, how many of you feel that it 
would? An opt-in system would dramatically impact e-commerce? 
OK, good. So almost everybody up there, except I guess you Mr. 
Mierzwinski and 

Ms. Harris. There is some ambiguity here. Go ahead. 

Mr. Vladeck. I think that we have been struggling with this 
question for a long time, and I am not speaking for the Commission 
now. I am speaking for staff. I think there is too much fray given 
to the question of the label of opt-in or opt-out. The concepts are 
not self-defining and skilled marketers, and there are lots of them 
out there, can easily make either method of expressing choice ei- 
ther easy or difficult. We have both given what is called affirmative 
consent because we have clicked the button and we both, you know, 
all of us have easily given in to either method. In our view the 
questions merely doesn’t boil down to this label. It is a legal label. 
It is not really a practical label. We believe that the goal ought to 
be to insure the consumers are well informed, and are given easy, 
and clear tools with which to exercise choice. Clarity and ease of 
use ought to be the key metrics, not easily manipulable legal terms 
like opt-in, and opt-out. And that is what we think the real prob- 
lem is. 

Mr. Whitfield. Thank you, thank you. 

Ms. Harris. I have nothing to add to that. 

Mr. Whitfield. We should have asked him a question earlier. 

Mr. Vladeck. I am fine. 

Mr. Rush. Well, the Chair — that concludes our questioning. And 
I merely want to reiterate to the witnesses how appreciative we are 
for you taking your time to come and share with us your expertise 
and your insights into this process and into both of the drafts, Mr. 
Boucher’s draft bill and to H.R. 5777. And the Chair wants to as- 
sure everyone who is present, including our witnesses, that there 
will be ample opportunity for more input before we mark up this 
bill. I am cognizant of the fact that this bill was introduced four 
days ago and we are having a hearing, but I am also determined 
that we need to move forward, you know. I am not sure, there 
won’t be — there will be a lot of deliberation, but it won’t be unnec- 
essary delay in terms of getting this bill to the floor as it be, and 
hopefully to the floor. And we want to — what was some — I want to 
give you assurances that your time is not just being wasted here. 
It is really — ^your investment in this process will result in a better 
bill but it will be a bill that hopefully will become law. And I want 
to thank you so very much for being here this afternoon. And with 
that said this Subcommittee is now adjourned. 

[Whereupon, at 4:42 p.m., the Subcommittee was adjourned.] 


O 



